Press "Enter" to skip to content

Simple pf configuration for jails in FreeBSD

This is just an example configuration for pf on FreeBSD with two or more jails. We require private jail networking using NAT and RDR (redirect).

Some of the lines below wrap on smaller screens so I’ve included extra spaces between the rdr entries to make them easier to read:

ext_if="em0"
sshd_port="45678"
web="192.168.0.1"
db="192.168.0.2"

scrub in

#Redirect web traffic to the jail.
rdr on $ext_if proto tcp from any to ($ext_if) port http -> $web port http

rdr on $ext_if proto tcp from any to ($ext_if) port https -> $web port https

rdr on $ext_if2 proto tcp from any to ($ext_if2) port http -> $web port http

#Allow jail traffic to nat back to anywhere
nat on $ext_if from $web to any -> ($ext_if)
nat on $ext_if from $db to any -> ($ext_if)
nat on $ext_if2 from $web to any -> ($ext_if)

#FILTERING RULES
block in
block in quick inet6 all
pass out keep state
pass quick on { lo }
antispoof log quick for { lo }
pass in on $ext_if proto tcp to ($ext_if) port { $sshd_port } keep state

pass out on $ext_if proto tcp to ($ext_if) port { $sshd_port } keep state

#Additional ins web rules. "pass out" not required because "nat pass" bypasses outgoing filters

pass in on $ext_if proto tcp to $web port { http, https } keep state

pass in on $ext_if2 proto tcp to $web port { http } keep state

 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *