-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I use pf and jails on a host to redirect port 80 to the correct jail. I only use 1 routeable IP and have been running this configuration for over a year now.
I run nginx in jailA (10.0.0.2) and have it capture port 80 requests and forward them to either jailB (10.0.0.3) or jailC(10.0.0.4) based on hostname in the http request. Recently(last 3 months), pf has started blocking the ability of jailA to send these requests to the other two jails and I don't know why. my nginx config and pf.conf are unchanged. When I enter jailA and attempt to telnet to jailB port 80, I get rejected. So, I assume something is wrong with my current pf implementation. pf.conf: - ---------------------------------------------------------------------------------------------------- jailA_if = "lo1" JailAnet = $jailA_if:network jailB_if = "lo2" jailBnet = $jailB_if:network jailC_if = "lo3" jailCnet = $jailC_if:network jailA="10.0.0.2" jailB="10.0.0.3" jailC="10.0.0.4" #NAT nat on $ext_if from $jailAnet to any -> ($ext_if) nat on $ext_if from $jailBnet to any -> ($ext_if) nat on $ext_if from $jailCnet to any -> ($ext_if) # Redirect 80 rdr pass on $ext_if inet proto tcp to port http -> $jailA port http - ---------------------------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJUe6xAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEBIB78oecn5k3wwIAJA/WHdR+1F9sgfpx+LkgIWf ghS+57DINlt3fuMR5TTZ6lP9yLtYAPt+bf/PaJzgBn10waVrw9RmmZucCGySf+cu 92HGPi9fchyALplpeyPR3qD5bne8lnx9xQhYhh/gNIpkX7K/+hW+j1xGG5AsNwjr uQwoFq2IMwitFRdx4fSpttERbUEWDX7q333/QYkcLTpGoiouADzmlM9kqtSLGuvG +oRXl+lI83A3q4G+ec4r7sSmRc4Ou7J1YMiiWlaSqAZCRlPWhcWnQTVwQCHhYGgC 5FX26CV7akFmGCy1OykZJBRvQjozZp4t7FL7Jv0mvavMTX8ZalST3LRqqV7aBBM= =XqEl -----END PGP SIGNATURE----- _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
