# Connection from inside Jail



## halplus (May 31, 2013)

Hi folks,

I am looking to make one of the jails in my server to be able to connect to itself using the external IP. So you understand me. I want to access my domain that points to the server IP from inside the jail as if I were accessing it from the outside. But I am totally lost. I try rdr and nat, nothing. I tried to see if a filtering rule was interfering but can't find one.

*H*ere are my PF rules:


```
# interface names definition
ext_if = "re0"
webjail="10.10.10.x1"
sqljail="10.10.10.x2"
appjail="10.10.10.x3"
mailjail="10.10.10.x4"

# do not filter loopback
set skip on le0

scrub in all
# map external ip to tomcat
#rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $ext_if port 8081

#redirect to jailed webserver
rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $webjail port 80
rdr pass on $ext_if proto tcp from any to $ext_if port 22 -> $appjail port 22
rdr pass on $ext_if proto tcp from any to $ext_if port 51413 -> $appjail port 51
rdr pass on $ext_if proto udp from any to $ext_if port 51413 -> $appjail port 51
#rdr pass on lo1 proto tcp from $webjail to $ext_if port 80 -> $webjail port 80

#move ssl to ssh
rdr pass on $ext_if proto tcp from any to $ext_if port 443 -> $ext_if port 22
rdr pass on $ext_if proto tcp from any to $ext_if port 24 -> $ext_if port 22

#allow jails to see the internet
nat on $ext_if from $webjail to any -> ($ext_if)
nat on $ext_if from $sqljail to any -> ($ext_if)
nat on $ext_if from $appjail to any -> ($ext_if)
nat on $ext_if from $mailjail to any -> ($ext_if)

#block in all
pass out all
#pass in all

block drop in on $ext_if from any to any

# slow down crackers
block quick from <bruteforce>

# leave outide traffic pass
#let computer at work get in
pass in quick on $ext_if from x.x.x.x to any

# permit external SSH access / take away bruteforcers
pass in quick on $ext_if proto tcp from any to $ext_if port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 4/10, overload <bruteforce> flush global)
```


----------



## kpa (May 31, 2013)

> ```
> # do not filter loopback
> set skip on le0
> ```



This should probably read:


```
# do not filter loopback
set skip on lo0
```


----------



## SirDice (May 31, 2013)

It's not going to work. Packets destined for your external IP address never passes out the interface so PF can't touch them. And you can't bounce packets back out the same interface they came in on.


----------



## halplus (Jun 2, 2013)

Thanks for your replies folks. I just modified /etc/hosts inside jail so the domains resolves to jail's IP as a workaround. I could not use jail IP directly as I have there several virtual hosts and that works with the domain name of the host.


----------



## SirDice (Jun 2, 2013)

The solution almost everybody uses is called "split horizon DNS". This means your DNS server resolves hostnames to their internal addresses if the request comes from an internal client. And it resolves the 'external' or internet address for any 'external' requests.


----------

