Date: Wed, 11 Aug 2010 06:10:06 -0800 From: David Allen <the.real.david.allen@gmail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Fbsd8 <fbsd8@a1poweruser.com>, Brice ERRANDONEA <berrandonea@yahoo.fr>, freebsd-questions@freebsd.org, "Randal L. Schwartz" <merlyn@stonehenge.com> Subject: Re: How to connect a jail to the web ? Message-ID: <AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC@mail.gmail.com> In-Reply-To: <4C62AAA3.7090708@infracaninophile.co.uk> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C625468.8010805@infracaninophile.co.uk> <86aaotxopm.fsf@red.stonehenge.com> <4C62AAA3.7090708@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> I meant that you could block access to private servers which need to > listen on public network ports by just using firewall rules, as opposed > to making the whole jail hang off a private interface and just > forwarding selected traffic to it. > > For the second case, you would need pf to do the NAT'ing (or ipfw+natd > if that's your preference). With this trick of binding the sensitive > daemons to an address on the loopback, you are still secure even if pf > gets turned off. Of course, "secure" is not necessarily the same as > "working." I've read comments in the past about setting up jails using local loopback addresses, but I'm wondering if you wouldn't mind elaborating on what the actual pf rules would look like. Say you have 3 jails and more than one public IP address: ns 127.0.0.2 public_ip_1 mail 127.0.0.3 public_ip_2 www 127.0.0.4 public_ip_3 You want to pass port 25 traffic to/from the 'mail' jail. But you also need that jail to use the correct public_ip address. Is that possible without using, for example, pf's binat? Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC>