7.x and multiple IPs in jails

Oliver Fromme olli at lurza.secnetix.de
Tue Oct 28 01:54:10 PDT 2008

Charles Sprickman wrote:
 > [...]
 > Is there any firewall hackery to be had that can at least let me do IP 
 > based virtual hosts for web hosting?

A common solution is to put the jail on a localhost IP
(e.g., whatever).  The apache inside is bound
to several arbitrary port numbers.  For example, the
first virtual host listens on port 800, the next one on
port 801, then 802, and so on.  Everything on the same
jail IP.

Then use packet filter and NAT rules to forward incoming
connections from the real IP addresses to the respective
port on your jail IP: : 80  <--> : 800 : 80  <--> : 801 : 80  <--> : 802 : 80  <--> : 803

You should be able to do that with any of the included
"firewall" packages (IPFW, IPF, PF).  Personally I prefer
IPFW, which is used like this:

ipfw nat 1 config redirect_port tcp
ipfw nat 1 tcp from any to 80
ipfw nat 1 tcp from 800 to any

ipfw nat 2 config redirect_port tcp
ipfw nat 2 tcp from any to 80
ipfw nat 2 tcp from 801 to any

.. and so on.  Of course you can add additional NAT rules
for port 443 (https).  Works perfectly fine for me.

(You need to enable IPFIREWALL_NAT and LIBALIAS in your
kernel, or load libalias.ko and ipfw_nat.ko with kldload.)

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"[...]  one observation we can make here is that Python makes
an excellent pseudocoding language, with the wonderful attribute
that it can actually be executed."  --  Bruce Eckel

More information about the freebsd-stable mailing list