Nicolas de Bari Embriz Garcia Rojas wrote:
Thanks, I tried to base my rules on your but still do not have luck.
I do not know if maybe is because of the IPSEC vpn, also what i would
like to do i to access the the end vpn poing from the jails but still
havent made that or know how to doit.
I know nothing about IPSec VPN, so I can't help you any further.
You can add keyword "log" in to your block rules in pf.conf, start pflog
(pflog_enable="YES" in rc.conf and /etc/rc.d/pflog start) and then watch
with tcpdump which rule blocks your needed traffic and what next should
be allowed / redirected.
http://www.openbsd.org/faq/pf/logging.html
Or you can ask some network / PF guru in freebsd-pf@ mailinglist.
On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote:
Nicolas de Bari Embriz Garcia Rojas wrote:
I have a ipsec/vpn on FreeBSD 6.3 from one master server to another
server the one has multiple jails. each jail has is own public IP
and i need to do something like this:
vpn point >----------------------< master server with jails <-------
> jail (75.76.78.80)
64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2
when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that
the jail with ip 75.76.78.80 to respond, and also from jail
75.76.78.80 been available to telnet the other vpn point 10.10.10.1.
I am trying to route trafic using PF but is not working for the
tunel only for the non encrypted trafic, example:
rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80
but if i use the gif0 interface (the one for the tunnel) insted of
em1 does not work.
I am using slightly different setup. I have lo1 with IPs
172.16.1.0/24 for jails and public IPs are RDR / NATed from public
interface to local (jails).
I have one jail, where I need to connect throught OpenVPN on tap0 to
the MSSQL database server and from the other and (MS Windows Server)
allow connection in to jailed MySQL database server. Apache from this
jail is publicly accessible on ports 80 and 443.
jail_addr_0="172.16.1.2"
jail_tcp_0_inports="{ 80, 443 }"
vpn_dtc_if="tap0"
vpn_dtc_addr_local="10.0.0.29"
vpn_dtc_addr_remote="10.0.0.10"
vpn_dtc_inports="{ 3306 }" # let incoming to local mysql
# outgoing connections
nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3
nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote ->
$vpn_dtc_addr_local
# incomming connections
rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0
rdr pass on $vpn_dtc_if inet proto tcp from any to
$vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0
Miroslav Lachman
--
> nbari
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
