In a FreeBSD 10 setup, I have a jail running the publicly accessible nginx web server and another jail for the Java backend server based on Jetty. Each jail has its own internal IP address 127.0.1.x attached to the lo1 loopback interface. All this is configured to run with the pf firewall, which redirects incoming traffic to the nginx jail and from there to the Jetty jail. Basic pf configuration is shown below.
Now I would like to have a Git repository accessible externally via https. This is already set up and works well, but only by accessing it externally. From the Jetty jail, no connect is possible. However, I would like to access the Git repository from my Jetty backend jail via the public IP address.
I tried something like the following line to enable this in pf without success:
rdr pass proto tcp from $ip_jetty to $ip_public port https -> $ip_nginx
My pf firewall configuration looks as follows:
ip_public = "6.7.8.9"
if_external = "igb0"
net_jails = "127.0.1.0/24"
ip_nginx = "127.0.1.1"
ip_jetty = "127.0.1.10"
# Allow traffic from jails to outside world, enabled by network address translation
nat pass on $if_external from $net_jails to any -> $ip_public
# Redirect incoming web traffic to nginx jail
rdr pass on $if_external proto tcp from any to $ip_public port { http, https } -> $ip_nginx
# Allow outgoing connections
pass out all
# Allow nginx access to Jetty backend
pass in on lo1 proto tcp from $ip_nginx to $ip_jetty port 8080
Best Answer
To answer my own question, I got it to work using the following firewall configuration:
Also, in the /etc/hosts file of the Jetty jail, I added the internal IP address of the Nginx Jail:
This way, the traffic is routed through the internal lo1 loopback interface instead of the external network device. This is not quite what I wanted to have in my original post, but this also works well once configured.
If someone still has an idea how to solve the question in the way it was intended (using the external network device), I am still interested in an answer.