PF rules and configuration to allow a local IP alias to NAT on FreeBSD?

Here's exact details of my configuration:

Firewall/DNS Server: 192.168.2.1 (local lan) which routes out to the internet. <-- NOT UNDER MY CONTROL My FreeBSD Server: 192.168.2.23 (LAN)

"Inside" of my server, I have a jail. (I will have more, once my firewall rules are working..) I'm setting this up using ezjail, and that much is working. I want to assign it an alias on my FreeBSD server's loopback device lo0, and to give this jail ip of 127.0.0.10

So far in my /etc/pf.conf, the following is working:

# allow the outside world or internet to hit my FreeBSD server on 6500, and send this traffic to 6500
# verified through nc -l 6500 inside the jail, and telnet in from outside world
rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500

However, I have 2 more needs:

1) The jail must be able to send TCP traffic to any INTERNET IP (not 192.* or 127.*) on ports 5555 or 7070 or TBD 2) The jail must be able to send TCP traffic to 192.168.2.1 on the DNS port only (I MUST use this as an NS because of the way the main firewall out of my control is set up, I cannot change that)

And I have no idea how to set up pf to do this. Any help would be appreciated. Exact pf.conf lines would be EXTREMELY appreciated. I'm not a networking guy, I have read many many faqs and man pages on this, and it always ends up I'm either following the pf >4.5 syntax or I'm totally confused by what they are digging in to. What I list here is literally everything my "firewall" needs to do so it's frustrating to do so much research and only get 1/3 of it going.. this seems like a very basic use-case

Supporting info:

In rc.conf I've set up:

defaultrouter="192.168.2.1"
ifconfig_em0="inet 192.168.2.23  netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 127.0.0.10 netmask 255.255.255.0"
pf_enable="YES"
gateway_enable="YES"            # Enable as LAN gateway

My ifconfigs give me:

server# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:fc:6f:48
    inet 192.168.2.23 netmask 0xffffff00 broadcast 192.168.2.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    inet 127.0.0.10 netmask 0xffffff00 
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>


jail# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:fc:6f:48
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet 127.0.0.10 netmask 0xffffff00

That looks good maybe but the rules are on 192.168.2.23 with the NAT'd IP of 127.0.0.10 behind it.. is there a mistake in what you have here (I don't see 127.0.0.10) or where I see "interface" should I be creating an aliased interface or something?

I'm not sure I understand your setup, the nating behind the 127.0.0.10 part. But yes in the [interface] part you can put any interface that FreeBSD sees.

+1 for the example and adding references to the websites.

I'm having 192.168.2.23 act as a firewall in front of a jail that has been given IP 127.0.0.10 and am trying to control the traffic from 127.0.0.10 and leave 192.168.2.23 fully unrestricted

One more question - what's [ip] supposed to be? IP of what?

The IP that you will NAT behind.

This doesn't work at all, I'm using PF < 4.5 so this syntax is incorrect