Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 26 Jun 2016 10:25:26 +0000
From:      James Lodge <James@Lodge.me.uk>
To:        "org.freebsd.security@io7m.com" <org.freebsd.security@io7m.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: Filtering outbound traffic for private address jails?
Message-ID:  <DB5PR06MB17180AF87FC06D8612F6427DF9200@DB5PR06MB1718.eurprd06.prod.outlook.com>
In-Reply-To: <20160626100643.7a1f650e@copperhead.int.arc7.info>
References:  <20160625220137.1ed8de16@copperhead.int.arc7.info> <B587F027-A8E5-4B5F-AC1A-07AEDB26F022@Lodge.me.uk>, <20160626100643.7a1f650e@copperhead.int.arc7.info>
next in thread | previous in thread | raw e-mail | index | archive | help 

>'Lo.

>On 2016-06-26T02:32:04 +0000
>James Lodge <James@Lodge.me.uk> wrote:
>
> If you clone lo1, give it a 192.168.x.x/32 IP and then use the following =
pf.conf
> Do you need to bridge the interfaces? You may need to add gateway_enable=
=3D"YES" to rc.conf
>
> Not sure if that's what you're trying to do?
>
> James
>
>
> IP_PUB=3D"Your Public IP Address Here"
> IP_JAIL=3D"192.168.0.2"
> NET_JAIL=3D"192.168.0.0/24"
> PORT_JAIL=3D"{80,443,2020}"
>
> scrub in all
> nat pass on em0 from $NET_JAIL to any -> $IP_PUB
> rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL

>Interesting!

>Writing the filtering rules as "nat pass" statements does at least
>allow basic outbound filtering, as specifying a rule along with the nat
>statement allows you to talk about individual specific jails.

>Thanks, I will try using this if vnet jails don't work out.

>M
>_______________________________________________
f>reebsd-net@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"


I'm doing something every similar to you in a Digital Ocean droplet with a =
single public IP., though I don't filter outbound. I reverse proxy HTTP(s) =
via nginx with SNI support mostly. It works very well for me, I just wish (=
though I know its being look at and possible coming soon) I had ZFS.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DB5PR06MB17180AF87FC06D8612F6427DF9200>