[admin@lockdown ~]$ cat /etc/pf.conf ext_if="vtnet0"NET_JAIL="{ 192.168.69.0

1. [admin@lockdown ~]$ cat /etc/pf.conf
2. ext_if="vtnet0"
3. NET_JAIL="{ 192.168.69.0/24 192.168.68.0/24 192.168.0.0/24 }"
4.  
5. scrub in all
6.  
7. # Won't filter traffic on loopback
8. set skip on lo0
9.  
10. # nat all jail traffic
11. nat on $ext_if inet from $NET_JAIL to any -> ($ext_if)
12.  
13. # Allow all OUT, block all IN on $ext_if
14. block in log all
15. pass out all
16.  
17. # Protects against activity from spoofed or forged IPs
18. antispoof for $ext_if inet
19.  
20. # Allow traceroute
21. pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
22.  
23. # Allow ICMP ping
24. pass inet proto icmp from any to any
25.  
26. # Allow SSH/d
27. pass in quick on $ext_if proto tcp from any to any port ssh flags S/SA keep state
28.  
29. ### Jail traffic policies
30.  
31. # Allowing inbound traffic
32. pass quick proto tcp from any to $NET_JAIL port { 443, 80 } flags S/SA keep state
33.  
34. # Note: when using VNET with jail's own subnet, jail outgoing traffic
35. # is actually seen as incoming traffic by the FreeBSD Host.
36. # As such, a 'out' rule is declared as 'in' rule and 'from $whateverJail'.
37.  
38. # Allowing outbound DNS traffic inside jails
39. pass in proto { tcp, udp } from $NET_JAIL to any port domain
40.  
41. # Allow traceroute inside jails
42. pass in proto udp from $NET_JAIL to any port 33433 >< 33626
43.  
44. # Allow pkg, freebsd-update and anything else using http/s
45. pass in proto { tcp, udp } from $NET_JAIL to any port { 443, 80 }  
46.  
47. ### Jail traffic policies <EOL
48. [admin@lockdown ~]$