Setup of jail bound to lo0
Sławek Żak
slawek.zak at gmail.com
Mon Mar 21 11:27:03 PST 2005
On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans
<sten at blinkenlights.nl> wrote:
> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
>
> > Hi,
> >
> > I need to have some jails configured, sharing single IP address (IPv6
> > is a no-no for the time being:). Therefore I came up with an idea of
> > binding them all to lo0 and assigning subsequent IP aliases as the
> > addresses. The requirement for the jails is to let them to receive
> > (the easy part) and *send* packets to the outside.
> >
> > The jails cannot directly access the Internet as they cannot bind to
> > the external IP address of course. Some translation needs to be made,
> > I think. After wrestling with ipfw/ipf/pf for a couple of hours I
> > don't have a working solution.
> >
>
> pf:
>
> # Tables: similar to macros, but more flexible for many addresses.
> table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 }
>
> # Translation: specify how addresses are to be mapped or redirected.
> nat on $ext_if from $loopback_addr to any -> ($ext_if)
>
> # rdr: packets coming in on $ext_if with destination <webservers>:80
> rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
Hi,
It sure works :)
My rules are:
ext_if="lnc0"
table <webservers> { 127.0.0.2, 127.0.0.3 }
nat on $ext_if from <webservers> to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80
I wasn't sure what you meant by $loopback_addr. I will add rules like
this for every server:
rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80
Nice thing this PF. I can't do this in IPFilter.
Thank you very mach Sten!
/S
More information about the freebsd-net
mailing list