--- Original message --- From: [email protected] To: [email protected] Date: 21 January 2012, 10:57:48 Subject: nat + pf, network weirdness
> Hi Guys, > > I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of > services that are public facing in an effort to improve security. > > Firstly a breakdown of how things are setup: > > srv# ifconfig > pflog0: flags=0<> metric 0 mtu 33152 > pfsync0: flags=0<> metric 0 mtu 1500 > syncpeer: 0.0.0.0 maxupd: 128 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 127.0.0.1 netmask 0xff000000 > xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > options=503<RXCSUM,TXCSUM,TSO4,LRO> > ether 00:16:3e:85:8a:12 > inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255 > media: Ethernet manual > status: active > lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 10.1.1.IP netmask 0xffffff00 > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > > srv# jls > JID IP Address Hostname Path > 1 10.1.1.IP www.mydomain.net > /somepath/jails/www > 2 10.1.1.IP sql.mydomain.net > /somepath/jails/db > 3 10.1.1.IP ns.mydomain.net > /somepath/jails/ns > 5 10.1.1.IP mail.mydomain.net > /somepath/jails/mail > > Interface xn0 is my public facing interface, with my public IP. > > Everything appears to work as it should, I have a PF running on the > host with a default deny all policy. I have the following NAT rule in my > pf.conf: > > nat on xn0 from 10.1.1.0/24 to any -> (xn0) > You should use Packet Tagging (Policy Filtering). Something like this: nat on $ext_if tag WWW tagged WWW -> ($ext_if) nat on $ext_if tag SQL tagged SQL -> ($ext_if) ...... block in block out pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark traffic from jail to world ..... pass out quick on $ext_if inet from ($ext_if) tagged WWW <- dispatch only marked WWW PF is very well in situations like this. With PF it is possible to divide LAN traffic and router traffic easily. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[email protected]"
