Here's exact details of my configuration:
Firewall/DNS Server: 192.168.2.1 (local lan) which routes out to the internet. <– NOT UNDER MY CONTROL
My FreeBSD Server: 192.168.2.23 (LAN)
"Inside" of my server, I have a jail. (I will have more, once my firewall rules are working..) I'm setting this up using ezjail, and that much is working. I want to assign it an alias on my FreeBSD server's loopback device lo0, and to give this jail ip of 127.0.0.10
So far in my /etc/pf.conf, the following is working:
# allow the outside world or internet to hit my FreeBSD server on 6500, and send this traffic to 6500
# verified through nc -l 6500 inside the jail, and telnet in from outside world
rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500
However, I have 2 more needs:
1) The jail must be able to send TCP traffic to any INTERNET IP (not 192.* or 127.*) on ports 5555 or 7070 or TBD
2) The jail must be able to send TCP traffic to 192.168.2.1 on the DNS port only (I MUST use this as an NS because of the way the main firewall out of my control is set up, I cannot change that)
And I have no idea how to set up pf to do this. Any help would be appreciated. Exact pf.conf lines would be EXTREMELY appreciated. I'm not a networking guy, I have read many many faqs and man pages on this, and it always ends up I'm either following the pf >4.5 syntax or I'm totally confused by what they are digging in to. What I list here is literally everything my "firewall" needs to do so it's frustrating to do so much research and only get 1/3 of it going.. this seems like a very basic use-case
Supporting info:
In rc.conf I've set up:
defaultrouter="192.168.2.1"
ifconfig_em0="inet 192.168.2.23 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 127.0.0.10 netmask 255.255.255.0"
pf_enable="YES"
gateway_enable="YES" # Enable as LAN gateway
My ifconfigs give me:
server# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:fc:6f:48
inet 192.168.2.23 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.10 netmask 0xffffff00
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
jail# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:fc:6f:48
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.10 netmask 0xffffff00
Best Answer
I'm a little rusty with PF but are you looking for something like that?
match out on [interface] from 192.168.2.23 to any nat-to [ip]
pass on [interface] from 192.168.2.23 to !192.168.0.0/24 port {7070 5555}
pass on [interface] from 192.168.2.23 to 168.2.23.1 port domain
I've always found that both openBSD PF documentation and this site to be handy...
Edit:
match out on [interface] from 127.0.0.10 to any nat-to [ip]
pass quick on [interface] from 127.0.0.10 to 192.168.2.1 domain
pass on [interface] from 127.0.0.10 to {!192.168.2.0/24}
I believe that's what you are looking for based on the comment you left.