Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 05 Oct 2008 18:48:19 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        David Marec <david.marec@davenulle.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Pf, ftp-proxy and proftp running into a jail
Message-ID:  <48E8EFD3.4030000@quip.cz>
In-Reply-To: <200810051642.45864.david.marec@davenulle.org>
References:  <200810051642.45864.david.marec@davenulle.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
David Marec wrote:
> hi,
> 
> I am trying to get protftp running into a jail, avalaible from outside the 
> host.
> 
> First, i wrote rules to redirect ftp traffic from ext_if to the jail and to 
> nat jailled traffic to ext_if.
> After login, the data connection keeps being closed in passive mode; the 
> active mode is running well.
> 
> then, i tried to use ftp-proxy, by adding the following entries into rc.conf:
>  ftpproxy_enable="yes"
>  ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if"
> 
> and followed the tutorial i found on the openbsd website:
> http://www.openbsd.org/faq/pf/ftp.html
> 
> But, i can't even connect to the ftp server.
> 
> What is the right way to use ftp-proxy ?

Are you sure you need ftp-proxy?
I have ProFTPd in jail on private IP bidirectional NATed by PF 1:1 to 
public IP with following rules:

binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1

## pass incoming in to jails (from outside world)
## The filter engine will see the IP packet as it looks after 
translation has taken place
pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 
$jail_tcp_1_inports

## pass in/out (both directions) on jail interface (operations inside jail)
pass on $jail_if inet from $jail_addr_1 to $jail_addr_1

## passive FTP transfer - highports - for FTP in Jail (must use 
MasqueradeAddress in proftpd.conf)
pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 54000 >< 
55000 keep state


And in proftpd.conf I have:

# If Jail has NATed local IP address
MasqueradeAddress       1.2.3.4
PassivePorts            54000 55000

(1.2.3.4 is public IP address on which FTP will be accessible)

You do not need 1:1 mapping, you can use NAT + RDR rules to redirect 
just some port range in to you jail.

Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E8EFD3.4030000>