Filtering outbound traffic for private address jails?
org.freebsd.security at io7m.com
org.freebsd.security at io7m.com
Sun Jun 26 10:06:52 UTC 2016
'Lo.
On 2016-06-26T02:32:04 +0000
James Lodge <James at Lodge.me.uk> wrote:
>
> If you clone lo1, give it a 192.168.x.x/32 IP and then use the following pf.conf
> Do you need to bridge the interfaces? You may need to add gateway_enable="YES" to rc.conf
>
> Not sure if that's what you're trying to do?
>
> James
>
>
> IP_PUB="Your Public IP Address Here"
> IP_JAIL="192.168.0.2"
> NET_JAIL="192.168.0.0/24"
> PORT_JAIL="{80,443,2020}"
>
> scrub in all
> nat pass on em0 from $NET_JAIL to any -> $IP_PUB
> rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL
Interesting!
Writing the filtering rules as "nat pass" statements does at least
allow basic outbound filtering, as specifying a rule along with the nat
statement allows you to talk about individual specific jails.
Thanks, I will try using this if vnet jails don't work out.
M
More information about the freebsd-net
mailing list