From owner-freebsd-questions@FreeBSD.ORG Wed Dec 17 07:11:09 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE4671065670 for ; Wed, 17 Dec 2008 07:11:09 +0000 (UTC) (envelope-from geoff@apro.com.au) Received: from mail.ricksure.com.au (mail.ricksure.com.au [203.98.89.150]) by mx1.freebsd.org (Postfix) with ESMTP id 2C4828FC12 for ; Wed, 17 Dec 2008 07:11:08 +0000 (UTC) (envelope-from geoff@apro.com.au) Received: from dsl-202-173-129-2.nsw.westnet.com.au [202.173.129.2] by mail.ricksure.com.au with SMTP; Wed, 17 Dec 2008 17:56:00 +1100 To: freebsd-questions@freebsd.org Content-Disposition: inline From: Geoff Roberts Organization: Australian Projects Date: Wed, 17 Dec 2008 17:55:53 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200812171755.53920.geoff@apro.com.au> X-Declude-Sender: geoff@apro.com.au [202.173.129.2] X-Declude-Spoolname: 50168152.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.64 "http://www.declude.com/x-note.htm" X-Declude-Scan: Outgoing Score [0] at 17:56:00 on 17 Dec 2008 X-Declude-Tests: Whitelisted X-Country-Chain: X-Declude-Code: 0 X-Declude-Recipcount: 1 Organization: Declude, Inc. X-Helo: bsd7desktop.home.wollongong X-RevDNS: Subject: ftp from jails using a proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: geoff@apro.com.au List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2008 07:11:09 -0000 Hi, I am using FreeBSD 7.0. I have a server with a single network interface - ext0. On this server I have a number of jails attached to a pseudo network interface - lo1. lo1 has the following IP address range: 10.1.1.0/24 (ifconfig create lo1) I also have jails attached to the external interface ext0 I would like to be able to ftp from the jails on the pseudo interface (lo1) as well as the external interface (ext). For a range of reasons I want to avoid a pass out all option on the external interface ext0. I therefore tried using ftp-proxy. However, I can never get the redirect to connect to ftp-proxy in the pf rules, no matter which interface or address I place it on. I'm beginning to think that redirects to ftp-proxy will only work when there is incoming traffic on a separate physical interface. Redirecting from a pseudo interface doesn't seem to work. See notes below for configuration. How would you suggest I get this working? Is there are a better way to set this up? I'd prefer to use passive ftp if possible. Notes on ftp-proxy configuration ==================== I can verify the fact ftp is not be redirected via the proxy by running the proxy in debug: ftp-proxy -d -D 7 -b (ext0) where (ext0) is the external IP address I never get any connections logged by the proxy. I can't use 127.0.0.1 as jails can't connect to this address. In my pf rules I have nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on ext0 proto tcp from any to any port 21 -> (ext0) port 8021 rdr on lo1 proto tcp from any to any port 21 -> (ext0) port 8021 anchor "ftp-proxy/*" pass out log proto tcp from any to any port 21 label "FTP -- ACCEPT " Kind regards, Geoff