[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Jailed/sandboxed/chrooted applications




route-to sends it to the lo1 interface
on the lo1 interface the IP it is heading to is changed to 127.0.0.1 port 9040
some other rules to make sure nothing else gets out

Is that it? It still seems very confusing.

I finally cracked it! This PF ruleset let me send a test request from firefox within a jail to
Tor's TransPort (9040), the IP 127.0.0.2 is the jail and an alius of lo0:

rdr pass on lo1 inet proto udp from any to port 53 -> 127.0.0.1 port 53
rdr pass on lo1 inet proto tcp from any to port 53 -> 127.0.0.1 port 53

rdr pass on lo1 inet proto tcp from any to port 80 -> 127.0.0.1 port 9040

pass out route-to lo1 inet proto tcp from 127.0.0.2 to port 80 flags S/SA modulate state
pass out route-to lo1 inet proto udp from 127.0.0.2 to port 53 keep state


Of course it needs to be expanded and modified for my purpose, but this
simple ruleset can be used as a better example for that than the complex but
complete one on the Wiki I think.