Date: Mon, 21 Mar 2005 23:17:59 +0100 (CET) From: Sten Spans <sten@blinkenlights.nl> To: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= <slawek.zak@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 Message-ID: <Pine.SOC.4.61.0503212313100.25978@tea.blinkenlights.nl> In-Reply-To: <787bbe1c0503211126680ef@mail.gmail.com> References: <787bbe1c050315152733f79e7c@mail.gmail.com> <Pine.SOC.4.61.0503161045311.23519@tea.blinkenlights.nl> <787bbe1c0503211126680ef@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
> On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans
> <sten@blinkenlights.nl> wrote:
>> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
>>
>>> Hi,
>>>
>>
>> pf:
>>
>> # Tables: similar to macros, but more flexible for many addresses.
>> table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 }
>>
>> # Translation: specify how addresses are to be mapped or redirected.
>> nat on $ext_if from $loopback_addr to any -> ($ext_if)
>>
>> # rdr: packets coming in on $ext_if with destination <webservers>:80
>> rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
>
> Hi,
>
> It sure works :)
>
> My rules are:
>
> ext_if="lnc0"
> table <webservers> { 127.0.0.2, 127.0.0.3 }
> nat on $ext_if from <webservers> to any -> ($ext_if)
> rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80
>
> I wasn't sure what you meant by $loopback_addr. I will add rules like
> this for every server:
>
> rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80
My setup is a bit different. I have 1 jail
with ip 10.0.0.1, and multiple external ips
distributed with vrrp.
internal_net="192.168.1.0/23"
loopback_addr="10.0.0.1"
table <webservers> { 1.2.3.21, 1.2.3.22, 1.2.3.23 }
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.scrub in all
# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $loopback_addr to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination <webservers>:80
rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
# block all packets from $loopback_addr on the internal interface
block in on $lo_if from $loopback_addr to $internal_net
> Nice thing this PF. I can't do this in IPFilter.
pf is quite nice indeed.
> Thank you very mach Sten!
no problem.
--
Sten Spans
"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOC.4.61.0503212313100.25978>