nat + pf, network weirdness
other at ahhyes.net
other at ahhyes.net
Sun Jan 22 07:38:44 UTC 2012
On 2012-01-22 01:13, Виталий Владимирович wrote:
>> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
>>
> You should use Packet Tagging (Policy Filtering).
> Something like this:
>
> nat on $ext_if tag WWW tagged WWW -> ($ext_if)
> nat on $ext_if tag SQL tagged SQL -> ($ext_if)
>
> ......
>
> block in
> block out
> pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark
> traffic from jail to world
> .....
> pass out quick on $ext_if inet from ($ext_if) tagged WWW <-
> dispatch only marked WWW
>
> PF is very well in situations like this. With PF it is possible to
> divide LAN traffic and router traffic easily.
Could someone please explain how the nat rules work in the above
example, I had a quick look at the pf manpage for tagging but it does
not mention it's use in conjunction with NAT. Is there much connection
overhead/performance difference by using tags? Is the above the only
solution?
Why is it I cannot see any traffic via tcpdump on lo1?
More information about the freebsd-jail
mailing list