# networking best practice?



## zader (Jul 3, 2018)

Kind of a difficult question to ask.. but ... what would be the best way to accommodate something like this..

The host has: 
2 nics (WAN / LAN)
2 jails (vsftp & bro)
2 vms (centos milter & imap)

the vsftp jail needs to be accessible from the LAN and WAN
the bro jail needs to see ALL traffic
the centos milter needs to accept mail from the WAN and not be accessible from the LAN
the imap server needs to be accessible from the WAN and LAN

purpose:

Nic #1 is hardware passed through to bhyve and runs openbsd with relayd and carp.  It also needs to relay traffic from the bro jail out to the WAN

questions:
     is it best to run vsftp and bro as chroots on the openbsd vm? or jail them on the host? or create 2 new VM's?
     is this hardware passthough safe to use as a forward facing firewall? or should I put a dedicated FW upstream?

Nic #2 is connected to the LAN it needs to:
     accept outbound traffic and pass it to bro
     accept outbound mail and pass it to the milter
     allow LAN access to the vsftp and imap server


I know this is a rather complex factitious example
But I wish to know what the best approach to this sort of issue where you have to relay traffic specifically to jails, vms and services... as well as how you could either clone or redirect all traffic in either direction to a IDS such as bro.

Thanks..


----------



## Chris_H (Jul 17, 2018)

Have a look at pf(4). It easily covers all your prerequisites. 

HTH

--Chris


----------

