Hello - I would like to get some feedback how to achieve this kind of filtering with FreeBSD.
Ideally, I have a jail with a service running. I know the service needs to make HTTPS calls to a given set of upstream hosts. I would like to filter the outbound connections, such that only these connections are allowed.
In a non-FreeBSD setup, I saw this solved by
1. Setting a custom DNS resolver answering the service (or here, probably the whole jail), returning a fixed IP (see next point) for any request.
2. The fixed IP was pointing to a TCP proxy outside the sandbox (here jail), which had capability to observe TLS SNI (for example https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#req_ssl_sni)
I assume a similar setup could work in FreeBSD, but if there's a more direct approach, I would be interested. For example, I don't know if one of the firewalls have ability to match on SNI.
Thank you!
Ideally, I have a jail with a service running. I know the service needs to make HTTPS calls to a given set of upstream hosts. I would like to filter the outbound connections, such that only these connections are allowed.
In a non-FreeBSD setup, I saw this solved by
1. Setting a custom DNS resolver answering the service (or here, probably the whole jail), returning a fixed IP (see next point) for any request.
2. The fixed IP was pointing to a TCP proxy outside the sandbox (here jail), which had capability to observe TLS SNI (for example https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#req_ssl_sni)
I assume a similar setup could work in FreeBSD, but if there's a more direct approach, I would be interested. For example, I don't know if one of the firewalls have ability to match on SNI.
Thank you!
