Date: Tue, 28 Oct 2008 09:53:59 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG, spork@bway.net Subject: Re: 7.x and multiple IPs in jails Message-ID: <200810280853.m9S8rxsP061073@lurza.secnetix.de> In-Reply-To: <Pine.OSX.4.64.0810280227350.4630@toasty.nat.fasttrackmonkey.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Sprickman wrote: > [...] > Is there any firewall hackery to be had that can at least let me do IP > based virtual hosts for web hosting? A common solution is to put the jail on a localhost IP (e.g. 127.0.0.2, whatever). The apache inside is bound to several arbitrary port numbers. For example, the first virtual host listens on port 800, the next one on port 801, then 802, and so on. Everything on the same jail IP. Then use packet filter and NAT rules to forward incoming connections from the real IP addresses to the respective port on your jail IP: 11.22.33.44 : 80 <--> 127.0.0.2 : 800 11.22.33.45 : 80 <--> 127.0.0.2 : 801 11.22.33.46 : 80 <--> 127.0.0.2 : 802 11.22.33.47 : 80 <--> 127.0.0.2 : 803 ... You should be able to do that with any of the included "firewall" packages (IPFW, IPF, PF). Personally I prefer IPFW, which is used like this: ipfw nat 1 config redirect_port tcp 127.0.0.2:800 11.22.33.44:80 ipfw nat 1 tcp from any to 11.22.33.44 80 ipfw nat 1 tcp from 127.0.0.2 800 to any ipfw nat 2 config redirect_port tcp 127.0.0.2:801 11.22.33.45:80 ipfw nat 2 tcp from any to 11.22.33.45 80 ipfw nat 2 tcp from 127.0.0.2 801 to any .. and so on. Of course you can add additional NAT rules for port 443 (https). Works perfectly fine for me. (You need to enable IPFIREWALL_NAT and LIBALIAS in your kernel, or load libalias.ko and ipfw_nat.ko with kldload.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "[...] one observation we can make here is that Python makes an excellent pseudocoding language, with the wonderful attribute that it can actually be executed." -- Bruce Eckel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810280853.m9S8rxsP061073>