7.x and multiple IPs in jails

[Oliver Fromme]

Charles Sprickman wrote:
 > [...]
 > Is there any firewall hackery to be had that can at least let me do IP 
 > based virtual hosts for web hosting?

A common solution is to put the jail on a localhost IP
(e.g. 127.0.0.2, whatever).  The apache inside is bound
to several arbitrary port numbers.  For example, the
first virtual host listens on port 800, the next one on
port 801, then 802, and so on.  Everything on the same
jail IP.

Then use packet filter and NAT rules to forward incoming
connections from the real IP addresses to the respective
port on your jail IP:

   11.22.33.44 : 80  <-->  127.0.0.2 : 800
   11.22.33.45 : 80  <-->  127.0.0.2 : 801
   11.22.33.46 : 80  <-->  127.0.0.2 : 802
   11.22.33.47 : 80  <-->  127.0.0.2 : 803
   ...

You should be able to do that with any of the included
"firewall" packages (IPFW, IPF, PF).  Personally I prefer
IPFW, which is used like this:

ipfw nat 1 config redirect_port tcp 127.0.0.2:800 11.22.33.44:80
ipfw nat 1 tcp from any to 11.22.33.44 80
ipfw nat 1 tcp from 127.0.0.2 800 to any

ipfw nat 2 config redirect_port tcp 127.0.0.2:801 11.22.33.45:80
ipfw nat 2 tcp from any to 11.22.33.45 80
ipfw nat 2 tcp from 127.0.0.2 801 to any

.. and so on.  Of course you can add additional NAT rules
for port 443 (https).  Works perfectly fine for me.

(You need to enable IPFIREWALL_NAT and LIBALIAS in your
kernel, or load libalias.ko and ipfw_nat.ko with kldload.)

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"[...]  one observation we can make here is that Python makes
an excellent pseudocoding language, with the wonderful attribute
that it can actually be executed."  --  Bruce Eckel