This is just an example configuration for pf on FreeBSD with two or more jails. We require private jail networking using NAT and RDR (redirect).
Some of the lines below wrap on smaller screens so I’ve included extra spaces between the rdr entries to make them easier to read:
ext_if="em0"
sshd_port="45678"
web="192.168.0.1"
db="192.168.0.2"
scrub in
#Redirect web traffic to the jail.
rdr on $ext_if proto tcp from any to ($ext_if) port http -> $web port http
rdr on $ext_if proto tcp from any to ($ext_if) port https -> $web port https
rdr on $ext_if2 proto tcp from any to ($ext_if2) port http -> $web port http
#Allow jail traffic to nat back to anywhere
nat on $ext_if from $web to any -> ($ext_if)
nat on $ext_if from $db to any -> ($ext_if)
nat on $ext_if2 from $web to any -> ($ext_if)
#FILTERING RULES
block in
block in quick inet6 all
pass out keep state
pass quick on { lo }
antispoof log quick for { lo }
pass in on $ext_if proto tcp to ($ext_if) port { $sshd_port } keep state
pass out on $ext_if proto tcp to ($ext_if) port { $sshd_port } keep state
#Additional ins web rules. "pass out" not required because "nat pass" bypasses outgoing filters
pass in on $ext_if proto tcp to $web port { http, https } keep state
pass in on $ext_if2 proto tcp to $web port { http } keep state
Leave a Reply