How to connect a jail to the web ?
David Allen
the.real.david.allen at gmail.com
Wed Aug 11 14:10:09 UTC 2010
> I meant that you could block access to private servers which need to
> listen on public network ports by just using firewall rules, as opposed
> to making the whole jail hang off a private interface and just
> forwarding selected traffic to it.
>
> For the second case, you would need pf to do the NAT'ing (or ipfw+natd
> if that's your preference). With this trick of binding the sensitive
> daemons to an address on the loopback, you are still secure even if pf
> gets turned off. Of course, "secure" is not necessarily the same as
> "working."
I've read comments in the past about setting up jails using local
loopback addresses, but I'm wondering if you wouldn't mind elaborating
on what the actual pf rules would look like.
Say you have 3 jails and more than one public IP address:
ns 127.0.0.2 public_ip_1
mail 127.0.0.3 public_ip_2
www 127.0.0.4 public_ip_3
You want to pass port 25 traffic to/from the 'mail' jail. But you also
need that jail to use the correct public_ip address. Is that possible
without using, for example, pf's binat?
Thanks.
More information about the freebsd-questions
mailing list