Date: Mon, 21 Mar 2005 23:17:59 +0100 (CET) From: Sten Spans <sten@blinkenlights.nl> To: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= <slawek.zak@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 Message-ID: <Pine.SOC.4.61.0503212313100.25978@tea.blinkenlights.nl> In-Reply-To: <787bbe1c0503211126680ef@mail.gmail.com> References: <787bbe1c050315152733f79e7c@mail.gmail.com> <Pine.SOC.4.61.0503161045311.23519@tea.blinkenlights.nl> <787bbe1c0503211126680ef@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-1254324197-1111443479=:25978 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote: > On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans > <sten@blinkenlights.nl> wrote: >> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote: >> >>> Hi, >>> >> >> pf: >> >> # Tables: similar to macros, but more flexible for many addresses. >> table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 } >> >> # Translation: specify how addresses are to be mapped or redirected. >> nat on $ext_if from $loopback_addr to any -> ($ext_if) >> >> # rdr: packets coming in on $ext_if with destination <webservers>:80 >> rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80 > > Hi, > > It sure works :) > > My rules are: > > ext_if="lnc0" > table <webservers> { 127.0.0.2, 127.0.0.3 } > nat on $ext_if from <webservers> to any -> ($ext_if) > rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80 > > I wasn't sure what you meant by $loopback_addr. I will add rules like > this for every server: > > rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80 My setup is a bit different. I have 1 jail with ip 10.0.0.1, and multiple external ips distributed with vrrp. internal_net="192.168.1.0/23" loopback_addr="10.0.0.1" table <webservers> { 1.2.3.21, 1.2.3.22, 1.2.3.23 } # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.scrub in all # Translation: specify how addresses are to be mapped or redirected. nat on $ext_if from $loopback_addr to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination <webservers>:80 rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80 # block all packets from $loopback_addr on the internal interface block in on $lo_if from $loopback_addr to $internal_net > Nice thing this PF. I can't do this in IPFilter. pf is quite nice indeed. > Thank you very mach Sten! no problem. -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem ---559023410-1254324197-1111443479=:25978--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOC.4.61.0503212313100.25978>