# How to let different programs use different IP's?



## foghorn (Aug 28, 2010)

Dear people,

I have a VPS and have a couple of IP's I can use.
I want to set it up that for example, my webserver serves on IP x.x.x.29 and my irc client uses x.x.x.30, and so on.

I tried to do some research, and I'll quickly stumbled upon IP aliases, but besides how to set it up, and how to configure apache to use them with virtual hosts, i didn't find much info on it.
Next thing I thought of was pseudo-interfaces as they appear to be called. "ifconfig create x". But I couldn't find all that much info on that either, nor how I would have to configure the program to use that particular NIC.
Another thing was jails, assigning a pseudo interface to a jail and running the program inside the jail. Is this possible?
Last thing I could come up with was brute forcing it with the firewall, but I don't know if that's even possible and some more info would also come in handy.

So does anybody know the best solution for this problem and/or where I can find more info on these things?


----------



## graudeejs (Aug 29, 2010)

Usually such apps have option to bind to IP (postfix, web servers.....), but not all apps can do it....
also you can use jail per setup, and have unique IP per jail....

or you can have many jails with private IPs and use firewall to forward connections


----------



## ctaranotte (Aug 29, 2010)

Jailing the apps is a good option but you can also run the apps as services under a user other than root or daemonize them using screen or dtach.

In your pf.conf, filter the apps' packets using the parameter "user" see  the pf.conf man page.


----------



## graudeejs (Aug 29, 2010)

ctaranotte said:
			
		

> Jailing the apps is a good option but you can also run the apps as services under a user other than root or daemonize them using screen or dtach.
> 
> In your pf.conf, filter the apps' packets using the parameter "user" see  the pf.conf man page.



filtering user and/or group only works for outgoing packets AFAIK


----------



## DutchDaemon (Aug 29, 2010)

killasmurf86 said:
			
		

> filtering user and/or group only works for outgoing packets AFAIK



No, PF is aware of which user/group owns a listening socket and can allow/deny incoming traffic based on that. Example


```
pass  [B]in[/B] quick inet proto tcp all [B]user rtorrent[/B] synproxy state (max-src-conn 10, max-src-
conn-rate 10/5, overload <bruteforce> flush global) queue( torrent, toracks )
pass  [B]in[/B] quick inet proto udp all [B]user rtorrent[/B] keep state (max-src-conn 10, max-src-conn-
rate 10/5, overload <bruteforce> flush global) queue( torrent, toracks )
```


----------

