Setup of jail bound to lo0

[Sten Spans]

On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:

> On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans
> <sten at blinkenlights.nl> wrote:
>> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
>>
>>> Hi,
>>>
>>
>> pf:
>>
>> # Tables: similar to macros, but more flexible for many addresses.
>> table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 }
>>
>> # Translation: specify how addresses are to be mapped or redirected.
>> nat on $ext_if from $loopback_addr to any -> ($ext_if)
>>
>> # rdr: packets coming in on $ext_if with destination <webservers>:80
>> rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
>
> Hi,
>
> It sure works :)
>
> My rules are:
>
> ext_if="lnc0"
> table <webservers> { 127.0.0.2, 127.0.0.3 }
> nat on $ext_if from <webservers> to any -> ($ext_if)
> rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80
>
> I wasn't sure what you meant by $loopback_addr. I will add rules like
> this for every server:
>
> rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80

My setup is a bit different. I have 1 jail
with ip 10.0.0.1, and multiple external ips
distributed with vrrp.

internal_net="192.168.1.0/23"
loopback_addr="10.0.0.1"

table <webservers> { 1.2.3.21, 1.2.3.22, 1.2.3.23 }

# Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.scrub in all

# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $loopback_addr to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination <webservers>:80
rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80

# block all packets from $loopback_addr on the internal interface
block in on $lo_if from $loopback_addr to $internal_net


> Nice thing this PF. I can't do this in IPFilter.

pf is quite nice indeed.

> Thank you very mach Sten!

no problem.

-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem