From owner-freebsd-jail@FreeBSD.ORG Sun Jan 22 08:39:45 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 055C8106564A for ; Sun, 22 Jan 2012 08:39:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe16.ukr.net (ffe16.ukr.net [195.214.192.51]) by mx1.freebsd.org (Postfix) with ESMTP id AB04B8FC14 for ; Sun, 22 Jan 2012 08:39:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=q3ZXE3ZmSbOUlalfCk4cWeRKxb5BcOn2GhXcBdbgQj4=; b=i9fxpXijA7WXxgnKMPittp29Zts+pROGEP2uecSD7pEDmjihtZD+1umlREKeGi6QUY05f9UpuOasGYcuxo+/0y+A2NL4CKDeoYwWCUzWaZu7DFnagDUrsLtC0SFntFRKyuVyctX27HM/u/BMDviZNwLMvZx/yNDPyVfOvQAHPGM=; Received: from mail by ffe16.ukr.net with local ID 1Rosxi-000B0P-Gp ; Sun, 22 Jan 2012 10:39:42 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: References: <22966.1327155238.9808034899287998464@ffe8.ukr.net> To: other@ahhyes.net From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.81] Message-Id: <41602.1327221582.9511199608840192000@ffe16.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Date: Sun, 22 Jan 2012 10:39:42 +0200 Cc: freebsd-jail@freebsd.org Subject: Re: nat + pf, network weirdness X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 08:39:45 -0000 --- Original message --- From: other@ahhyes.net To: freebsd-jail@freebsd.org Date: 22 January 2012, 09:38:51 Subject: Re: nat + pf, network weirdness > On 2012-01-22 01:13, Виталий Владимирович wrote: > >> nat on xn0 from 10.1.1.0/24 to any -> (xn0) > >> > > You should use Packet Tagging (Policy Filtering). > > Something like this: > > > > nat on $ext_if tag WWW tagged WWW -> ($ext_if) > > nat on $ext_if tag SQL tagged SQL -> ($ext_if) > > > > ...... > > > > block in > > block out > > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark > > traffic from jail to world > > ..... > > pass out quick on $ext_if inet from ($ext_if) tagged WWW <- > > dispatch only marked WWW > > > > PF is very well in situations like this. With PF it is possible to > > divide LAN traffic and router traffic easily. > > Could someone please explain how the nat rules work in the above > example, I had a quick look at the pf manpage for tagging but it does > not mention it's use in conjunction with NAT. Is there much connection > overhead/performance difference by using tags? Is the above the only > solution? You should read manuals more carefully nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ]