Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 Jan 2012 10:39:42 +0200
From:      =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= <artemrts@ukr.net>
To:        other@ahhyes.net
Cc:        freebsd-jail@freebsd.org
Subject:   Re: nat + pf, network weirdness
Message-ID:  <41602.1327221582.9511199608840192000@ffe16.ukr.net>
In-Reply-To: <f409a0728a8216b138a7c61d52e2551a@ahhyes.net>
References:  <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net> <f409a0728a8216b138a7c61d52e2551a@ahhyes.net> <22966.1327155238.9808034899287998464@ffe8.ukr.net>

next in thread | previous in thread | raw e-mail | index | archive | help


  --- Original message ---
 From: other@ahhyes.net
 To: freebsd-jail@freebsd.org
  Date: 22 January 2012, 09:38:51
 Subject: Re: nat + pf, network weirdness
 
 


> On 2012-01-22 01:13, Виталий Владимирович wrote:
> >> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
> >>
> >   You should use Packet Tagging (Policy Filtering).
> >   Something like this:
> >
> >   nat on $ext_if tag WWW tagged WWW -> ($ext_if)
> >   nat on $ext_if tag SQL tagged SQL -> ($ext_if)
> >
> >   ......
> >
> >    block in
> >    block out
> >    pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark
> > traffic from jail to world
> >    .....
> >    pass out quick on $ext_if inet from ($ext_if) tagged WWW <-
> > dispatch only marked WWW
> >
> >   PF is very well in situations like this. With PF it is possible to
> > divide LAN traffic and router traffic easily.
> 
> Could someone please explain how the nat rules work in the above 
> example, I had a quick look at the pf manpage for tagging but it does 
> not mention it's use in conjunction with NAT. Is there much connection 
> overhead/performance difference by using tags? Is the above the only 
> solution?
 
 You should read manuals more carefully

 nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                      [ "on" ifspec ] [ af ]
                      [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                      [ "->" ( redirhost | "{" redirhost-list "}" )
                      [ portspec ] [ pooltype ] [ "static-port" ] ]



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41602.1327221582.9511199608840192000>