From owner-freebsd-jail@FreeBSD.ORG Sun Jan 22 07:38:43 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF56C106564A for ; Sun, 22 Jan 2012 07:38:43 +0000 (UTC) (envelope-from other@ahhyes.net) Received: from srv.ahhyes.net (srv.ahhyes.net [109.169.82.101]) by mx1.freebsd.org (Postfix) with ESMTP id C69F88FC0C for ; Sun, 22 Jan 2012 07:38:43 +0000 (UTC) Received: from [10.1.1.1] (helo=ahhyes.net) by srv.ahhyes.net with esmtpa (Exim 4.77 (FreeBSD)) (envelope-from ) id 1Ros0Z-000JMi-7h for freebsd-jail@freebsd.org; Sun, 22 Jan 2012 18:38:36 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sun, 22 Jan 2012 18:38:35 +1100 From: other@ahhyes.net To: In-Reply-To: <22966.1327155238.9808034899287998464@ffe8.ukr.net> References: <22966.1327155238.9808034899287998464@ffe8.ukr.net> Message-ID: X-Sender: other@ahhyes.net User-Agent: Roundcube Webmail/0.7 X-SA-Exim-Connect-IP: 10.1.1.1 X-SA-Exim-Mail-From: other@ahhyes.net X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.ahhyes.net X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on srv.ahhyes.net) Subject: Re: nat + pf, network weirdness X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 07:38:44 -0000 On 2012-01-22 01:13, Виталий Владимирович wrote: >> nat on xn0 from 10.1.1.0/24 to any -> (xn0) >> > You should use Packet Tagging (Policy Filtering). > Something like this: > > nat on $ext_if tag WWW tagged WWW -> ($ext_if) > nat on $ext_if tag SQL tagged SQL -> ($ext_if) > > ...... > > block in > block out > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark > traffic from jail to world > ..... > pass out quick on $ext_if inet from ($ext_if) tagged WWW <- > dispatch only marked WWW > > PF is very well in situations like this. With PF it is possible to > divide LAN traffic and router traffic easily. Could someone please explain how the nat rules work in the above example, I had a quick look at the pf manpage for tagging but it does not mention it's use in conjunction with NAT. Is there much connection overhead/performance difference by using tags? Is the above the only solution? Why is it I cannot see any traffic via tcpdump on lo1?