Freebsd jail block out in lo1 while connecting back on ext_if

[michael at familie-keil.de]

After some additional research on pf and the lecture of Peter Hansteen'S
"The Book of PF", 
I was able to solve this issue by myself. Peter'S Book is worth each and
every cent and a remarkable source of knowledge.

The rootcause for my issue was a uncompleted nat/rdr setup alog with a
too optimistic "skip on lo". 

So I someone will come 'cross this post and has trouble with NAT Setup
and Freebsd jails on a cloned lo0 interface, please feel free to give
some deeper thought to following solution. 

Please remember to tighten your rules. "from any" in the first inbound
rdrs istn't a good idea. Maybe you want to block out fail2ban and
bruteforce issues. 

ext_if = "re0" 
jail_if = "{ lo1, lo0 }" 
jail_net = "10.100.0.0/24"
jail_web_adr = "10.100.0.1"
jail_web_ports = "{ http, https }"
jail_mail_adr = "10.100.0.2"
jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps,
submission } " 

nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr 

no nat log on $jail_if proto tcp from $jail_net
nat log on $jail_if proto tcp from $jail_web_adr to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_web_ports -> $jail_web_adr
nat log on $jail_if proto tcp from $jail_mail_adr to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_mail_ports -> $jail_mail_adr 

--- 

Cheers 

Michael