Date: Wed, 17 Dec 2008 17:55:53 +1100 From: Geoff Roberts <geoff@apro.com.au> To: freebsd-questions@freebsd.org Subject: ftp from jails using a proxy Message-ID: <200812171755.53920.geoff@apro.com.au>
next in thread | raw e-mail | index | archive | help
Hi, I am using FreeBSD 7.0. I have a server with a single network interface - ext0. On this server I have a number of jails attached to a pseudo network interface - lo1. lo1 has the following IP address range: 10.1.1.0/24 (ifconfig create lo1) I also have jails attached to the external interface ext0 I would like to be able to ftp from the jails on the pseudo interface (lo1) as well as the external interface (ext). For a range of reasons I want to avoid a pass out all option on the external interface ext0. I therefore tried using ftp-proxy. However, I can never get the redirect to connect to ftp-proxy in the pf rules, no matter which interface or address I place it on. I'm beginning to think that redirects to ftp-proxy will only work when there is incoming traffic on a separate physical interface. Redirecting from a pseudo interface doesn't seem to work. See notes below for configuration. How would you suggest I get this working? Is there are a better way to set this up? I'd prefer to use passive ftp if possible. Notes on ftp-proxy configuration ==================== I can verify the fact ftp is not be redirected via the proxy by running the proxy in debug: ftp-proxy -d -D 7 -b (ext0) where (ext0) is the external IP address I never get any connections logged by the proxy. I can't use 127.0.0.1 as jails can't connect to this address. In my pf rules I have nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on ext0 proto tcp from any to any port 21 -> (ext0) port 8021 rdr on lo1 proto tcp from any to any port 21 -> (ext0) port 8021 anchor "ftp-proxy/*" pass out log proto tcp from any to any port 21 label "FTP -- ACCEPT " Kind regards, Geoff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812171755.53920.geoff>