From owner-freebsd-pf@FreeBSD.ORG Fri Dec 20 15:36:42 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A77D44A0 for ; Fri, 20 Dec 2013 15:36:42 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 88DA41E95 for ; Fri, 20 Dec 2013 15:36:42 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1Vu27u-0004u7-G7 for freebsd-pf@freebsd.org; Fri, 20 Dec 2013 07:36:34 -0800 Date: Fri, 20 Dec 2013 07:36:34 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387553794487-5870320.post@n5.nabble.com> In-Reply-To: <52B4463F.3080900@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2013 15:36:42 -0000 Hello and thanks for your answer. I would like to make sure that I was able to explain myself correctly: 1. (lo0 + IntIF:network) for (JaTCP ports) --> $JailIf (lo2) --> ExtIf 2. (lo0 + IntIF:network) for !(JaTCP ports) --> ExtIf This is let's say a "reverse jail" problem. While most pf.confs aim to provide jailed services to the outside arriving traffic, I'm trying to provide jailed services to traffic originating from the inside, then forwarded to the outside. I had some dificulty understanding the packet flow logic in your explanation, so forgive me for asking once more. As an example from what you indicated does this ruleset do the job? # Begin NAT & RDR rules # For the privoxy jail nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag NAT_PRVX -> $j_privoxy port 8118 nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag NAT_PRVX -> $JailIf port 80 # For the unbound jail, there's a problem. Other jailed IP's on $JailIf will want a DNS server they can query. nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain tag NAT_DNS -> $j_dns nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port domain tag NAT_PRVX -> $ExtIf # Lastly nat on $ExtIf from any to !($ExtIf) -> ($ExtIf) It looks to me like it still does not quite make complete sense. Thanks for your time. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html Sent from the freebsd-pf mailing list archive at Nabble.com.