IPFW Jail on a server with single IP

Hello,

I have a server with a single public IP. I use IPFW as the firewall. I decided to use jails for segregating various services on the host (HTTP, IMAP etc.). I got the jail setup, using ezjail -- fairly straightforward. :) Now I want to enable port forwarding connections from the external IP:www port to the jail's IP port:www. I created a cloned interface in rc.conf:
Code:
cloned_interfaces="${cloned_interfaces} lo1"
ipv4_addrs_lo1="192.168.254.1-29/27"
ezjail_enable="YES"
Each jail has a separate IP in the 192.168.254.x range. I did a quick web search and came up with the following rules. I'm not sure if they are sound rules (i.e. no security issues). These rules are in addition to all the other rules that I have.
Code:
# portforward port 80 on public IP to first jail's port 80
ipfw nat 1 config ip <MY_public_ip> unreg_only same_ports redirect_port tcp 192.168.254.2:80 80

# NAT rule for www-jail port 80
ipfw add 99 nat 1 ip from any to any via $pif
By adding these two rules IP forwarding seems to work (I haven't tested it completely). I want to know if this is the correct way of enabling what I want to achieve. I want external IPs/users to reach the jails and enable jails to make outbound connections.

Please help me understand the rules needed for port forwarding/redirection/NATting. Let me know if there is a tutorial or a blog which could help me.

-Thanks in advance
Vijay

EDIT: Version -- 10.1 -- fresh install
 
Back
Top