How to connect a jail to the web ?

Matthew Seaman m.seaman at
Wed Aug 11 20:18:30 UTC 2010

On 11/08/2010 15:10:06, David Allen wrote:
>> I meant that you could block access to private servers which need to
>> listen on public network ports by just using firewall rules, as opposed
>> to making the whole jail hang off a private interface and just
>> forwarding selected traffic to it.
>> For the second case, you would need pf to do the NAT'ing (or ipfw+natd
>> if that's your preference).  With this trick of binding the sensitive
>> daemons to an address on the loopback, you are still secure even if pf
>> gets turned off.  Of course, "secure" is not necessarily the same as
>> "working."
> I've read comments in the past about setting up jails using local
> loopback addresses, but I'm wondering if you wouldn't mind elaborating
> on what the actual pf rules would look like.
> Say you have 3 jails and more than one public IP address:
>   ns   public_ip_1
>   mail   public_ip_2
>   www   public_ip_3
> You want to pass port 25 traffic to/from the 'mail' jail.  But you also
> need that jail to use the correct public_ip address.  Is that possible
> without using, for example, pf's binat?
> Thanks.

Sure.  In the best Blue Peter tradition[*], here's one I prepared earlier:

While that talks about redirecting a couple of TCP and one UDP service
into a single jailed host, I think it's pretty clear how to get from
there to having several different jails each with running a different



[*] It's a British thing.  You have to have been bought up here to

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list