From owner-freebsd-net@freebsd.org Sun Jun 26 10:40:53 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D16EA79D54 for ; Sun, 26 Jun 2016 10:40:53 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0132.outbound.protection.outlook.com [104.47.2.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 996F12055 for ; Sun, 26 Jun 2016 10:40:51 +0000 (UTC) (envelope-from James@Lodge.me.uk) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gavinlodge.onmicrosoft.com; s=selector1-Lodge-me-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nN0a+n3kK4ke2RY463nM9Z9AWdGLiOcB8dOEwjGvqTE=; b=Vvdqpe5VE3ht5KQzNrXGTLiFns5kMuzQItbuDa6wpKm3tFpt9eG3z7RzrtZnmBYsCM55zNejptMVh/cUhD3NNMjM9pfGATzevoXDEHMGN/Ar0EK4gb/sfWlmkGSD+b2n7laI0qTRIb+vXugiPACiHnEjMbqYMVmj9BcDWz3NblM= Received: from DB5PR06MB1718.eurprd06.prod.outlook.com (10.165.213.16) by DB5PR06MB1720.eurprd06.prod.outlook.com (10.165.213.18) with Microsoft SMTP Server (TLS) id 15.1.534.8; Sun, 26 Jun 2016 10:25:27 +0000 Received: from DB5PR06MB1718.eurprd06.prod.outlook.com ([10.165.213.16]) by DB5PR06MB1718.eurprd06.prod.outlook.com ([10.165.213.16]) with mapi id 15.01.0528.014; Sun, 26 Jun 2016 10:25:27 +0000 From: James Lodge To: "org.freebsd.security@io7m.com" , "freebsd-net@freebsd.org" Subject: Re: Filtering outbound traffic for private address jails? Thread-Topic: Filtering outbound traffic for private address jails? Thread-Index: AQHRzy5kidDlXJVON0eMaGq8Ct2cf5/7B32NgAB/B4CAAAFItw== Date: Sun, 26 Jun 2016 10:25:26 +0000 Message-ID: References: <20160625220137.1ed8de16@copperhead.int.arc7.info> , <20160626100643.7a1f650e@copperhead.int.arc7.info> In-Reply-To: <20160626100643.7a1f650e@copperhead.int.arc7.info> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [25.165.200.132] x-ms-office365-filtering-correlation-id: f493cc42-ef2b-4a50-ce66-08d39dac30f6 x-microsoft-exchange-diagnostics: 1; DB5PR06MB1720; 6:mH2/BUFGTcEoCByoIzIiltmjYg98JugGMywVf8eMNwJpx9RXcWwLI92AfDRguM5JYv6vMY+68FcybTU7tgaNPB7dvxvrKe+/hVmIgSSDazFlNHbxUhmdVw9gLBeI3TU58n3uzvGyWoe3RVbQr7dToaP1j9zI41Ep/G6NzXgpYHHHbZE9NYDMY1gg7oO5u7pEk2DeFNx8omTA0nPW5mZD/YGwRyYrpFvdHKW+Iblit/CLYiQ0sXNT+Y0OisBs/gtu9OIkP2VidqFw8/UvvKapSzYZOp0ZSOPBa5c1d9MRf4qvD1x8ljUsM0Kjxrs3znWw; 5:BTffyilzFq/oa9NJl752yS7RtlJuZQrFOJb+6aFpMFHD1RKgnyt27TKIZbaAXkcYiKUOQ6vaqliK76AnXRE3+4knlWymIdtRywseIydbcv8t3KpftF+Ledh8iIipHavfEBt/ItvqG0w7EktiDOpX9w==; 24:E7WZ2pwbP9hnaXNVZoPZMNDnoArXkkCG/HXGRg/FUile1QhdTLQWOCSzTR0KiSxwdhmgl3LG9pXAsxUm9g7+GoXf6cfDfEm7n3gXNcou8Po=; 7:ROBCyqXHVOO/KPyrTlv6fFDUO+EYIGFX8H4+pwL4niL+vej+2Y0K1sy9Y3tPKNdUjpS5CkcpE+S43+cYgg6RWZXp34R0ulnZNk0lzkY7XK61mOSuLtzEnAT/05bEmQcIxSBMWxvuaHarqKBO5ZbP3VbO+UHzAcJXcRXbTbBdm1WScQ5DN4EVjE98fM76P+yfGo3vOyucxrINvA4HWCfKamc3aCE7uNpQgpU77grdTh4nsIXycuOqsWnW1MlqFHni x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR06MB1720; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(75325880899374); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040130)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041072)(6043046); SRVR:DB5PR06MB1720; BCL:0; PCL:0; RULEID:; SRVR:DB5PR06MB1720; x-forefront-prvs: 0985DA2459 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(24454002)(189002)(80792005)(105586002)(101416001)(19625215002)(107886002)(2950100001)(5001770100001)(97736004)(5002640100001)(2900100001)(19627405001)(106356001)(106116001)(15975445007)(19617315012)(102836003)(50986999)(54356999)(76176999)(81166006)(7696003)(5003600100003)(6116002)(9686002)(7736002)(7846002)(2906002)(77096005)(7906003)(189998001)(66066001)(11100500001)(74482002)(8936002)(122556002)(68736007)(74316001)(86362001)(10400500002)(76576001)(2501003)(92566002)(16236675004)(8676002)(3280700002)(81156014)(3846002)(87936001)(33656002)(19580405001)(586003)(3660700001)(19580395003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB5PR06MB1720; H:DB5PR06MB1718.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: Lodge.me.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2016 10:25:26.8506 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR06MB1720 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2016 10:40:53 -0000 >'Lo. >On 2016-06-26T02:32:04 +0000 >James Lodge wrote: > > If you clone lo1, give it a 192.168.x.x/32 IP and then use the following = pf.conf > Do you need to bridge the interfaces? You may need to add gateway_enable= =3D"YES" to rc.conf > > Not sure if that's what you're trying to do? > > James > > > IP_PUB=3D"Your Public IP Address Here" > IP_JAIL=3D"192.168.0.2" > NET_JAIL=3D"192.168.0.0/24" > PORT_JAIL=3D"{80,443,2020}" > > scrub in all > nat pass on em0 from $NET_JAIL to any -> $IP_PUB > rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL >Interesting! >Writing the filtering rules as "nat pass" statements does at least >allow basic outbound filtering, as specifying a rule along with the nat >statement allows you to talk about individual specific jails. >Thanks, I will try using this if vnet jails don't work out. >M >_______________________________________________ f>reebsd-net@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" I'm doing something every similar to you in a Digital Ocean droplet with a = single public IP., though I don't filter outbound. I reverse proxy HTTP(s) = via nginx with SNI support mostly. It works very well for me, I just wish (= though I know its being look at and possible coming soon) I had ZFS.