On 11/08/2010 15:10:06, David Allen wrote: >> I meant that you could block access to private servers which need to >> listen on public network ports by just using firewall rules, as opposed >> to making the whole jail hang off a private interface and just >> forwarding selected traffic to it. >> >> For the second case, you would need pf to do the NAT'ing (or ipfw+natd >> if that's your preference). With this trick of binding the sensitive >> daemons to an address on the loopback, you are still secure even if pf >> gets turned off. Of course, "secure" is not necessarily the same as >> "working." > > I've read comments in the past about setting up jails using local > loopback addresses, but I'm wondering if you wouldn't mind elaborating > on what the actual pf rules would look like. > > Say you have 3 jails and more than one public IP address: > > ns 127.0.0.2 public_ip_1 > mail 127.0.0.3 public_ip_2 > www 127.0.0.4 public_ip_3 > > You want to pass port 25 traffic to/from the 'mail' jail. But you also > need that jail to use the correct public_ip address. Is that possible > without using, for example, pf's binat? > > Thanks.
Sure. In the best Blue Peter tradition[*], here's one I prepared earlier: http://lists.freebsd.org/pipermail/freebsd-questions/2008-March/171748.html While that talks about redirecting a couple of TCP and one UDP service into a single jailed host, I think it's pretty clear how to get from there to having several different jails each with running a different service. Cheers, Matthew [*] It's a British thing. You have to have been bought up here to understand. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature