Re: Setup of jail bound to lo0
From: Sten Spans (sten_at_blinkenlights.nl)
Date: 03/21/05
- Previous message: Bruce M Simpson: "Re: OpenBGPD with FreeBSD"
- In reply to: Sławek Żak: "Re: Setup of jail bound to lo0"
- Next in thread: _at_babolo.ru: "Re: Setup of jail bound to lo0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 21 Mar 2005 23:17:59 +0100 (CET) To: Sławek Żak <slawek.zak@gmail.com>
On Mon, 21 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
> On Wed, 16 Mar 2005 10:47:25 +0100 (CET), Sten Spans
> <sten@blinkenlights.nl> wrote:
>> On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote:
>>
>>> Hi,
>>>
>>
>> pf:
>>
>> # Tables: similar to macros, but more flexible for many addresses.
>> table <webservers> { 1.2.3.4, 5.6.7.8, 9.9.9.9 }
>>
>> # Translation: specify how addresses are to be mapped or redirected.
>> nat on $ext_if from $loopback_addr to any -> ($ext_if)
>>
>> # rdr: packets coming in on $ext_if with destination <webservers>:80
>> rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
>
> Hi,
>
> It sure works :)
>
> My rules are:
>
> ext_if="lnc0"
> table <webservers> { 127.0.0.2, 127.0.0.3 }
> nat on $ext_if from <webservers> to any -> ($ext_if)
> rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.2 port 80
>
> I wasn't sure what you meant by $loopback_addr. I will add rules like
> this for every server:
>
> rdr on $ext_if proto tcp from any to any port 81 -> 127.0.0.3 port 80
My setup is a bit different. I have 1 jail
with ip 10.0.0.1, and multiple external ips
distributed with vrrp.
internal_net="192.168.1.0/23"
loopback_addr="10.0.0.1"
table <webservers> { 1.2.3.21, 1.2.3.22, 1.2.3.23 }
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.scrub in all
# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $loopback_addr to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination <webservers>:80
rdr on $ext_if proto tcp from any to <webservers> port 80 -> $loopback_addr port 80
# block all packets from $loopback_addr on the internal interface
block in on $lo_if from $loopback_addr to $internal_net
> Nice thing this PF. I can't do this in IPFilter.
pf is quite nice indeed.
> Thank you very mach Sten!
no problem.
-- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Bruce M Simpson: "Re: OpenBGPD with FreeBSD"
- In reply to: Sławek Żak: "Re: Setup of jail bound to lo0"
- Next in thread: _at_babolo.ru: "Re: Setup of jail bound to lo0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
