nat + pf, network weirdness

other at ahhyes.net other at ahhyes.net
Sun Jan 22 07:38:44 UTC 2012


On 2012-01-22 01:13, Виталий Владимирович wrote:
>> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
>>
>   You should use Packet Tagging (Policy Filtering).
>   Something like this:
>
>   nat on $ext_if tag WWW tagged WWW -> ($ext_if)
>   nat on $ext_if tag SQL tagged SQL -> ($ext_if)
>
>   ......
>
>    block in
>    block out
>    pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark
> traffic from jail to world
>    .....
>    pass out quick on $ext_if inet from ($ext_if) tagged WWW <-
> dispatch only marked WWW
>
>   PF is very well in situations like this. With PF it is possible to
> divide LAN traffic and router traffic easily.

Could someone please explain how the nat rules work in the above 
example, I had a quick look at the pf manpage for tagging but it does 
not mention it's use in conjunction with NAT. Is there much connection 
overhead/performance difference by using tags? Is the above the only 
solution?

Why is it I cannot see any traffic via tcpdump on lo1?



More information about the freebsd-jail mailing list