FreeBSD ipfw jail configuration

ipfw.rules

# Flush all rules
ipfw -q -f flush

# Destroy ACLs
ipfw -q table all destroy

# Create SSH access ACL
ipfw -q table SSHAccess create type addr
ipfw -q table SSHAccess add 192.168.0.1 # SysAdm workstation

# Create postgreSQL access ACL
ipfw -q table postgreSQLAccess create type addr
ipfw -q table postgreSQLAccess add 192.168.0.2 # DBA workstation

ipfw -q disable one_pass
ipfw -q nat 1 config if vtnet0 same_ports unreg_only reset redirect_port tcp 172.16.0.1:postgresql postgresql

ipfw -q add 005 allow all from any to any via lo1  # exclude jail traffic
ipfw -q add 010 allow all from any to any via lo0  # exclude loopback traffic
ipfw -q add 099 reass all from any to any in       # reassemble inbound packets
ipfw -q add 100 nat 1 all from any to any in via vtnet0 # NAT any inbound packets

# Allow the packet through if it has an existing entry in the dynamic rules table
ipfw -q add 101 check-state

# Authorized inbound packets
ipfw -q add 120 skipto 1000 tcp from "table(SSHAccess)" to me ssh in via vtnet0 keep-state
ipfw -q add 121 skipto 1000 tcp from "table(postgreSQLAccess)" to me postgresql in via vtnet0 keep-state

# Authorized outbound packets
ipfw -q add 220 skipto 1000 udp from any to any 53 out via vtnet0 keep-state
ipfw -q add 221 skipto 1000 udp from any to any 67 out via vtnet0 keep-state
ipfw -q add 225 skipto 1000 tcp from any to any 80,443 out via vtnet0 setup keep-state

ipfw -q add 999 deny all from any to any
ipfw -q add 1000 nat 1 all from any to any out via vtnet0 # skipto location for outbound stateful rules
ipfw -q add 1001 allow all from any to any