From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 14:10:09 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B96D106566B for ; Wed, 11 Aug 2010 14:10:09 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3CF098FC15 for ; Wed, 11 Aug 2010 14:10:09 +0000 (UTC) Received: by pwj4 with SMTP id 4so53968pwj.13 for ; Wed, 11 Aug 2010 07:10:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=/OQnx/AHQdrCLR+qYqce7dI1KW/27BWrEILanFuwLE4=; b=TJAmVA27K0uy4bBgBLDW6BSbVEpotSPEfafrX1HrU3D2vssbKf42wprOIkPQg8Q7NO qAseY8icPuZqolGPrDqxjO2iXJEK8K0JOszMw3cue+v6ilQnwGILV7D1WTuKr0sHOrgy 2qaWD6haWBNmX1zX4vwdMKeYPPKhP70I2zaIw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ef2pB5G8VIaGf2b0pHb+pxPowCZ+9h9/FODAUtSJkKGHS6riwEgwld1klZ5gqYDBKt NZSWH428Hdb+nqXiD2/cBhtjmphFNsSpNo/HHfhBvH9k8NUi/rIbM6bDyzHPSN0/u4fh RTTTdsz7oQR1Zn2HB4T1h4gJ2ypW1fcd2/2Fg= MIME-Version: 1.0 Received: by 10.142.215.21 with SMTP id n21mr16270328wfg.32.1281535808557; Wed, 11 Aug 2010 07:10:08 -0700 (PDT) Received: by 10.220.182.131 with HTTP; Wed, 11 Aug 2010 07:10:06 -0700 (PDT) In-Reply-To: <4C62AAA3.7090708@infracaninophile.co.uk> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C625468.8010805@infracaninophile.co.uk> <86aaotxopm.fsf@red.stonehenge.com> <4C62AAA3.7090708@infracaninophile.co.uk> Date: Wed, 11 Aug 2010 06:10:06 -0800 Message-ID: From: David Allen To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 Cc: Fbsd8 , Brice ERRANDONEA , freebsd-questions@freebsd.org, "Randal L. Schwartz" Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 14:10:09 -0000 > I meant that you could block access to private servers which need to > listen on public network ports by just using firewall rules, as opposed > to making the whole jail hang off a private interface and just > forwarding selected traffic to it. > > For the second case, you would need pf to do the NAT'ing (or ipfw+natd > if that's your preference). With this trick of binding the sensitive > daemons to an address on the loopback, you are still secure even if pf > gets turned off. Of course, "secure" is not necessarily the same as > "working." I've read comments in the past about setting up jails using local loopback addresses, but I'm wondering if you wouldn't mind elaborating on what the actual pf rules would look like. Say you have 3 jails and more than one public IP address: ns 127.0.0.2 public_ip_1 mail 127.0.0.3 public_ip_2 www 127.0.0.4 public_ip_3 You want to pass port 25 traffic to/from the 'mail' jail. But you also need that jail to use the correct public_ip address. Is that possible without using, for example, pf's binat? Thanks.