How to connect a jail to the web ?

Matthew Seaman m.seaman at
Wed Aug 11 13:50:46 UTC 2010

On 11/08/2010 14:29, Randal L. Schwartz wrote:
>>>>>> "Matthew" == Matthew Seaman <m.seaman at> writes:
> Matthew> Yes, you can achieve the same effect using firewall rules, but
> Matthew> as I have occasionally said before, firewalls should be
> Matthew> optional -- ideally your system should be secure even if you
> Matthew> turn the firewall off.
> Well, I already have pf fired up to deal with web and ssh rate limiting,
> so firing up a natd seems a bit redundant.

I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.

For the second case, you would need pf to do the NAT'ing (or ipfw+natd
if that's your preference).  With this trick of binding the sensitive
daemons to an address on the loopback, you are still secure even if pf
gets turned off.  Of course, "secure" is not necessarily the same as



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list