NAT Reflection rules for FreeBSD PF
Kristen Nielsen
krn at krn.dk
Tue Nov 15 14:50:22 UTC 2016
Hi.
We have had the same needs earlier, but solved it in our network.
Although I have been considering the possibility if there was an easy
ACL based way to get jails to talk with each other e.g with sockets and
related filters in the 127.0.0.0/8 ip range.
Without having deep insights in the kernel network code I would believe
it may be not to difficult to realise a solution like this. Of cause it
will only work on jails on single hosts (on the same host) and would
introducing tighter bonds between jails using this feature.
Just a tought I would like to share with the list.
Kristen
Den 15-11-2016 kl. 12:37 skrev Oliver Peter:
> El duderino,
>
> On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote:
>> I am trying to set up a 11.0-R PF based NAT for group of jails that needs
>> to be able to talk to services on other jails, just as if they'd be clients
>> from outside of the network. Apparently, this is called 'NAT reflection'
>> and I was able to find examples for OpenBSD PF here:
>> https://www.openbsd.org/faq/pf/rdr.html (bottom of the page).
>>
>> Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the
>> same thing? How to allow jails NAT'd on $ext_if (xn0) coming from
>> $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the
>> $ext_if external IP?
> We did something similar in a customer setup a while ago:
>
> nat on $int_if from $jail_host to any -> $int_ip
> rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $service1, service2 } -> $int_lb
>
> Cheers
>
>
More information about the freebsd-net
mailing list