# Internet access within jails (preferably without running PF)



## Anand Suresh (Nov 27, 2014)

I'm building a FreeBSD 10.1-RELEASE system that has two network interfaces: one connected to the external network (henceforth called the external interface) and one connected to our private network (henceforth called the internal interface). The setup is as follows:


We have one jail with a publicly-visible IP address (203.x.x.x) aliased on to the external interface running our SSL terminator.
We have multiple jails with private IP addresses (172.16.x.x) aliased on the internal interface running various services.
Communications between the jails is perfect. However, we need to grant Internet access to the jails so that they can communicate with third-party services (think Google, Facebook, etc).

The questions are:


How can I set[]up the networks so that the jails (mainly the ones running services attached to the internal interface) can access the internet?
Can this be done without having to use the PF service?
Also, please advise what configuration files I should list on this thread.

Thanks


----------



## SirDice (Nov 27, 2014)

One way would be to use NAT, another way would be to install a proxy server on the host and divert all traffic from the jails through that.


----------



## kpa (Nov 27, 2014)

I think you could use natd(8) for the NATing and you wouldn't need to use PF or IPFW. PF is (in my opinion) quite trivial to set up for such purpose though so I don't see why you shouldn't use it. This is a skeleton ruleset (/etc/pf.conf) that accomplishes that (change ext_if to match your system's outgoing interface):


```
ext_if = em0

nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

scrub on $ext_if all fragment reassemble

pass all
```


----------



## Anand Suresh (Dec 2, 2014)

Thanks for the replies guys.

The reason we don't want to use PF is because from our experience on SmartOS, it was quite a performance killer since it inspected every packet (haven't tested this on FreeBSD yet).

natd seems to be something that might work for our case. Will try that first and then fallback to PF is needed.


----------



## kpa (Dec 3, 2014)

Anand Suresh said:


> Thanks for the replies guys.
> 
> The reason we don't want to use PF is because from our experience on SmartOS, it was quite a performance killer since it inspected every packet (haven't tested this on FreeBSD yet).
> 
> natd seems to be something that might work for our case. Will try that first and then fallback to PF is needed.



NAT has to be done by inspecting every packet by the PF NAT engine, there is no state that is created for the NAT operation unlike with the filter rules. You change the above pass all rule to this if you don't want states to be created for the traffic that passes the packet filter. 


```
pass all no state
```


----------

