nat + pf, network weirdness
Виталий Владимирович
artemrts at ukr.net
Sun Jan 22 08:39:45 UTC 2012
--- Original message ---
From: other at ahhyes.net
To: freebsd-jail at freebsd.org
Date: 22 January 2012, 09:38:51
Subject: Re: nat + pf, network weirdness
> On 2012-01-22 01:13, Виталий Владимирович wrote:
> >> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
> >>
> > You should use Packet Tagging (Policy Filtering).
> > Something like this:
> >
> > nat on $ext_if tag WWW tagged WWW -> ($ext_if)
> > nat on $ext_if tag SQL tagged SQL -> ($ext_if)
> >
> > ......
> >
> > block in
> > block out
> > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark
> > traffic from jail to world
> > .....
> > pass out quick on $ext_if inet from ($ext_if) tagged WWW <-
> > dispatch only marked WWW
> >
> > PF is very well in situations like this. With PF it is possible to
> > divide LAN traffic and router traffic easily.
>
> Could someone please explain how the nat rules work in the above
> example, I had a quick look at the pf manpage for tagging but it does
> not mention it's use in conjunction with NAT. Is there much connection
> overhead/performance difference by using tags? Is the above the only
> solution?
You should read manuals more carefully
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ]
More information about the freebsd-jail
mailing list