On 2012-01-22 01:13, Виталий Владимирович wrote:
nat on xn0 from 10.1.1.0/24 to any -> (xn0)
You should use Packet Tagging (Policy Filtering).
Something like this:
nat on $ext_if tag WWW tagged WWW -> ($ext_if)
nat on $ext_if tag SQL tagged SQL -> ($ext_if)
......
block in
block out
pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark
traffic from jail to world
.....
pass out quick on $ext_if inet from ($ext_if) tagged WWW <-
dispatch only marked WWW
PF is very well in situations like this. With PF it is possible to
divide LAN traffic and router traffic easily.
Could someone please explain how the nat rules work in the above
example, I had a quick look at the pf manpage for tagging but it does
not mention it's use in conjunction with NAT. Is there much connection
overhead/performance difference by using tags? Is the above the only
solution?
Why is it I cannot see any traffic via tcpdump on lo1?
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
