From owner-freebsd-net@FreeBSD.ORG Mon Mar 21 22:18:07 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3502A16A4CE for ; Mon, 21 Mar 2005 22:18:07 +0000 (GMT) Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5627C43D4C for ; Mon, 21 Mar 2005 22:18:06 +0000 (GMT) (envelope-from sten@blinkenlights.nl) Received: from tea.blinkenlights.nl (multi.tea.blinkenlights.nl [IPv6:2001:960:301:9:a00:20ff:fe85:fa39]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ford.blinkenlights.nl (Postfix) with ESMTP id 4A37C3F294; Mon, 21 Mar 2005 23:18:00 +0100 (CET) Received: by tea.blinkenlights.nl (Postfix, from userid 101) id D28B2268; Mon, 21 Mar 2005 23:17:59 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by tea.blinkenlights.nl (Postfix) with ESMTP id B8B9A25F; Mon, 21 Mar 2005 23:17:59 +0100 (CET) Date: Mon, 21 Mar 2005 23:17:59 +0100 (CET) From: Sten Spans To: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= In-Reply-To: <787bbe1c0503211126680ef@mail.gmail.com> Message-ID: References: <787bbe1c050315152733f79e7c@mail.gmail.com> <787bbe1c0503211126680ef@mail.gmail.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1254324197-1111443479=:25978" cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 22:18:07 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-1254324197-1111443479=:25978 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote: > On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans > wrote: >> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote: >> >>> Hi, >>> >> >> pf: >> >> # Tables: similar to macros, but more flexible for many addresses. >> table { 1.2.3.4, 5.6.7.8, 9.9.9.9 } >> >> # Translation: specify how addresses are to be mapped or redirected. >> nat on $ext_if from $loopback_addr to any -> ($ext_if) >> >> # rdr: packets coming in on $ext_if with destination :80 >> rdr on $ext_if proto tcp from any to port 80 -> $loopback_addr port 80 > > Hi, > > It sure works :) > > My rules are: > > ext_if="lnc0" > table { 127.0.0.2, 127.0.0.3 } > nat on $ext_if from to any -> ($ext_if) > rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80 > > I wasn't sure what you meant by $loopback_addr. I will add rules like > this for every server: > > rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80 My setup is a bit different. I have 1 jail with ip 10.0.0.1, and multiple external ips distributed with vrrp. internal_net="192.168.1.0/23" loopback_addr="10.0.0.1" table { 1.2.3.21, 1.2.3.22, 1.2.3.23 } # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.scrub in all # Translation: specify how addresses are to be mapped or redirected. nat on $ext_if from $loopback_addr to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination :80 rdr on $ext_if proto tcp from any to port 80 -> $loopback_addr port 80 # block all packets from $loopback_addr on the internal interface block in on $lo_if from $loopback_addr to $internal_net > Nice thing this PF. I can't do this in IPFilter. pf is quite nice indeed. > Thank you very mach Sten! no problem. -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem ---559023410-1254324197-1111443479=:25978--