From owner-freebsd-net@FreeBSD.ORG Mon Mar 21 19:27:03 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA0B16A4CE for ; Mon, 21 Mar 2005 19:27:03 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35C5D43D2F for ; Mon, 21 Mar 2005 19:27:03 +0000 (GMT) (envelope-from slawek.zak@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so742204wri for ; Mon, 21 Mar 2005 11:27:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=OvaAOMXA2t2JeWqt/cVyibTC4my2KevvWiv7OpV7gpwVxtJHeBKw7fnL6F+LN32rP2TSaahk4R++jNggkaDnI8/z3/9+yPrMMv7uPwGmfBhUKQ9KkdOprAqvGXeSStcbBHnaX/0GHsTOTHh4jS7kspKCV7aJ4lterPlxDEny7Dg= Received: by 10.54.57.79 with SMTP id f79mr38582wra; Mon, 21 Mar 2005 11:26:56 -0800 (PST) Received: by 10.54.39.23 with HTTP; Mon, 21 Mar 2005 11:26:55 -0800 (PST) Message-ID: <787bbe1c0503211126680ef@mail.gmail.com> Date: Mon, 21 Mar 2005 20:26:55 +0100 From: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= To: Sten Spans In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable References: <787bbe1c050315152733f79e7c@mail.gmail.com> cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 19:27:03 -0000 On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans wrote: > On Wed, 16 Mar 2005, [UTF-8] S=C5~Bawek =C5=BBak wrote: >=20 > > Hi, > > > > I need to have some jails configured, sharing single IP address (IPv6 > > is a no-no for the time being:). Therefore I came up with an idea of > > binding them all to lo0 and assigning subsequent IP aliases as the > > addresses. The requirement for the jails is to let them to receive > > (the easy part) and *send* packets to the outside. > > > > The jails cannot directly access the Internet as they cannot bind to > > the external IP address of course. Some translation needs to be made, > > I think. After wrestling with ipfw/ipf/pf for a couple of hours I > > don't have a working solution. > > >=20 > pf: >=20 > # Tables: similar to macros, but more flexible for many addresses. > table { 1.2.3.4, 5.6.7.8, 9.9.9.9 } >=20 > # Translation: specify how addresses are to be mapped or redirected. > nat on $ext_if from $loopback_addr to any -> ($ext_if) >=20 > # rdr: packets coming in on $ext_if with destination :80 > rdr on $ext_if proto tcp from any to port 80 -> $loopback_ad= dr port 80 Hi, It sure works :) My rules are: ext_if=3D"lnc0" table { 127.0.0.2, 127.0.0.3 } nat on $ext_if from to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80 I wasn't sure what you meant by $loopback_addr. I will add rules like this for every server: rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80 Nice thing this PF. I can't do this in IPFilter. Thank you very mach Sten! /S