Date: Sun, 26 Jun 2016 10:06:43 +0000 From: <org.freebsd.security@io7m.com> To: freebsd-net@freebsd.org Subject: Re: Filtering outbound traffic for private address jails? Message-ID: <20160626100643.7a1f650e@copperhead.int.arc7.info> In-Reply-To: <B587F027-A8E5-4B5F-AC1A-07AEDB26F022@Lodge.me.uk> References: <20160625220137.1ed8de16@copperhead.int.arc7.info> <B587F027-A8E5-4B5F-AC1A-07AEDB26F022@Lodge.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
'Lo.
On 2016-06-26T02:32:04 +0000
James Lodge <James@Lodge.me.uk> wrote:
>
> If you clone lo1, give it a 192.168.x.x/32 IP and then use the following pf.conf
> Do you need to bridge the interfaces? You may need to add gateway_enable="YES" to rc.conf
>
> Not sure if that's what you're trying to do?
>
> James
>
>
> IP_PUB="Your Public IP Address Here"
> IP_JAIL="192.168.0.2"
> NET_JAIL="192.168.0.0/24"
> PORT_JAIL="{80,443,2020}"
>
> scrub in all
> nat pass on em0 from $NET_JAIL to any -> $IP_PUB
> rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL
Interesting!
Writing the filtering rules as "nat pass" statements does at least
allow basic outbound filtering, as specifying a rule along with the nat
statement allows you to talk about individual specific jails.
Thanks, I will try using this if vnet jails don't work out.
M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160626100643.7a1f650e>