NAT & RDR rules for jailed proxy services
Beeblebrox
zaphod at berentweb.com
Fri Dec 20 15:36:42 UTC 2013
Hello and thanks for your answer.
I would like to make sure that I was able to explain myself correctly:
1. (lo0 + IntIF:network) for (JaTCP ports) --> $JailIf (lo2) --> ExtIf
2. (lo0 + IntIF:network) for !(JaTCP ports) --> ExtIf
This is let's say a "reverse jail" problem. While most pf.confs aim to
provide jailed services to the outside arriving traffic, I'm trying to
provide jailed services to traffic originating from the inside, then
forwarded to the outside.
I had some dificulty understanding the packet flow logic in your
explanation, so forgive me for asking once more. As an example from what you
indicated does this ruleset do the job?
# Begin NAT & RDR rules
# For the privoxy jail
nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag
NAT_PRVX -> $j_privoxy port 8118
nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag
NAT_PRVX -> $JailIf port 80
# For the unbound jail, there's a problem. Other jailed IP's on $JailIf will
want a DNS server they can query.
nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain
tag NAT_DNS -> $j_dns
nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port
domain tag NAT_PRVX -> $ExtIf
# Lastly
nat on $ExtIf from any to !($ExtIf) -> ($ExtIf)
It looks to me like it still does not quite make complete sense.
Thanks for your time.
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
More information about the freebsd-pf
mailing list