Pf example jails on loopback addr

Jails need ip addresses, but since we are working with the real internet, we can't just bind any address on our public-facing network interface.

To work around this, we'll setup a clone of the loopback address, where to which we can bind any address in the private address range see RFC 1918.

NOTE:

I do not fully understand how the interface's address can communicate with the jail's address when they are using different netmasks - but I only have a fuzzy understanding of how netmasks work. I can confirm that this does work:

lo1: 172.16.1.1/24
jail: 172.16.1.*/32

Create a clone of the loopback addr lo0, which we will bind to an address in the private address-space.

#### /etc/rc.conf
cloned_interfaces="lo1"    # we clone the loopback iface
pf_enable="YES"            # enable pf

ifconfig_lo1="inet 172.16.1.1 netmask 255.255.255.0"

#### /etc/sysctl.conf
# ip forwarding must be enabled in order to use nat in pf.
net.inet.ip.forwarding=1
net.inet.ip6.forwarding=1

#### /etc/pf.conf
# variables
WAN_ipaddr = "192.168.1.1"      # your external ip
ext_if   = "vtnet0"             # a variable for interface with external traffic
jail_if  = "lo1"                # a variable for interface with internal traffic
jail_net = $jail_if:network     # all netwk-traffic from lo1

nat on $ext_if from $jail_net to any -> $WAN_ipaddr # forward traffic on all jail ifaces to external-interface

sudo service pf start               # start pf
sudo pfctl -nvf /etc/pf.conf        # test pf.conf - errors will be printed on stdout
sudo pfctl -F all  -f /etc/pf.conf  # flush all rules, then reapply rules from /etc/pf.conf

When you have decided on a port you'd like to forward (from WAN to your jail) You will need append it to your /etc/pf.conf.

melody_ip = "172.16.1.2/32"
melody_tcp_ports = "{ 80, 443 }"    # you may also configure a range of ports

# redirect traffic on ports 80/443 to the jail
rdr pass on $ext_if    inet proto tcp   to port 9999  -> $melody_ip port 80

sudo reboot     ## you'll need to reboot so the ip alias takes effect

#### /etc/jail.conf
yourhostname {
    mount.devfs;
    exec.start    = "/bin/sh /etc/rc";
    exec.strop    = "/bin/sh /etc/rc.shutdown";
    host.hostname = "yourhostname";
    path          = "/usr/home/j/yourhostname";
    mount.fstab   = "/etc/jails/yourhost.fstab";

    interface     = "lo1";
    ip4.addr      = 127.16.1.2/32   # (created on alias you just created)
                                    # take note of the /32 netmask 
                                    # (which is different from the interface's /24)
}