Following firewall rules work for a jailed environment . the rest is self explanatory for readers who have experience with ipf. If you would like to read more on ipf, follow this link.

[code lang=text]
pass in quick on lo0 all pass out quick on lo0 all

# outbound connection pass out log first quick on vtnet0 all

Allow internal traffic pass in quick on vtnet0 from 10.0.0.0/16 to 10.0.0.0/16 pass out quick on vtnet0 from 10.0.0.0/16 to 10.0.0.0/16

Allow nat traffic in pass in quick on vtnet0 proto tcp/udp from 10.0.0.1 to any port = domain keep state # interface facing Internet (inbound) # Block all inbound traffic from non-routable or reserved address spaces block in quick on vtnet0 from 192.168.0.0/16 to any block in quick on vtnet0 from 172.16.0.0/12 to any #RFC 1918 private IP #block in quick on vtnet0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on vtnet0 from 127.0.0.0/8 to any #loopback block in quick on vtnet0 from 0.0.0.0/8 to any #loopback block in quick on vtnet0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on vtnet0 from 192.0.2.0/24 to any #reserved for docs block in quick on vtnet0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on vtnet0 from 224.0.0.0/3 to any #Class D & E multicast

# Block fragments and too short tcp packets block in quick on vtnet0 all with frags block in quick on vtnet0 proto tcp all with short

# block source routed packets block in quick on vtnet0 all with opt lsrr block in quick on vtnet0 all with opt ssrr

# Block OS fingerprint attempts and log first occurrence block in log first quick on vtnet0 proto tcp from any to any flags FUP

# Block anything with special options block in quick on vtnet0 all with ipopts

# Block public pings and ident block in quick on vtnet0 proto icmp all icmp-type 8 block in quick on vtnet0 proto tcp from any to any port = 113

# Block incoming Netbios services block in log first quick on vtnet0 proto tcp/udp from any to any port = 137 block in log first quick on vtnet0 proto tcp/udp from any to any port = 138 block in log first quick on vtnet0 proto tcp/udp from any to any port = 139 block in log first quick on vtnet0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with # the same IP address used in the outbound section. pass in quick on vtnet0 proto udp from 140.82.50.1/32 to any port = 68 keep state

# Allow public connections to specified internal web server pass in quick on vtnet0 proto tcp from any to 140.82.51.110/32 port = 80 flags S keep state

# Allow webmin connection pass in quick on vtnet0 proto tcp from any to 140.82.51.110/32 port = 10000 flags S keep state

# Allow ssh connection pass in quick on vtnet0 proto tcp from any to 140.82.51.110/32 port = 22 flags S keep state

# Allow port 53 pass in quick on vtnet0 proto tcp from any to 140.82.51.110/32 port = 53 flags S keep state

# allow port 53 udp pass in quick on vtnet0 proto udp from any to 140.82.51.110/32 port = 53 keep state

pass in quick on vtnet0 from any to 10.0.0.0/16

# Block and log only first occurrence of all remaining traffic. block in log first quick on vtnet0 all

[/code]

this is for ipnat

[code lang=text]
# from to map vtnet0 10.0.0.0/16 -> 140.82.51.110/32 portmap tcp/udp auto

map vtnet0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000 frag map vtnet0 10.0.0.1/32 -> 0/32 proxy port ftp ftp/tcp map vtnet0 10.0.0.1/32 -> 0/32 portmap tcp/udp 10000:40000 map vtnet0 10.0.0.1/32 -> 0/32 rdr vtnet0 140.82.51.110/32 port 80 -> 10.0.0.1 port 80 rdr vtnet0 140.82.51.110/32 port 53 -> 10.0.0.1 port 53

[/code]

reference: https://www.freebsd.org/doc/handbook/firewalls-ipf.html

https://www.symantec.com/connect/articles/solaris-and-ip-filter-how-make-them-your-nat-solution