Re: Setup of jail bound to lo0

[Sten Spans]

On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans
<[EMAIL PROTECTED]> wrote:
On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
Hi,
pf:
# Tables: similar to macros, but more flexible for many addresses.
table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 }
# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $loopback_addr to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination <webservers>:80
rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr 
port 80
Hi,
It sure works :)
My rules are:
ext_if="lnc0"
table <webservers> { 127.0.0.2, 127.0.0.3 }
nat on $ext_if from <webservers> to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80
I wasn't sure what you meant by $loopback_addr. I will add rules like
this for every server:
rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80
My setup is a bit different. I have 1 jail
with ip 10.0.0.1, and multiple external ips
distributed with vrrp.
internal_net="192.168.1.0/23"
loopback_addr="10.0.0.1"
table <webservers> { 1.2.3.21, 1.2.3.22, 1.2.3.23 }
# Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.scrub in all

# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $loopback_addr to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination <webservers>:80
rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr 
port 80
# block all packets from $loopback_addr on the internal interface
block in on $lo_if from $loopback_addr to $internal_net

Nice thing this PF. I can't do this in IPFilter.
pf is quite nice indeed.
Thank you very mach Sten!
no problem.
--
Sten Spans
"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"