From owner-freebsd-pf@FreeBSD.ORG Sun Oct 5 17:04:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378B71065686 for ; Sun, 5 Oct 2008 17:04:21 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id E79FE8FC0C for ; Sun, 5 Oct 2008 17:04:20 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 060D519E027; Sun, 5 Oct 2008 18:47:49 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 4909019E023; Sun, 5 Oct 2008 18:47:46 +0200 (CEST) Message-ID: <48E8EFD3.4030000@quip.cz> Date: Sun, 05 Oct 2008 18:48:19 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: David Marec References: <200810051642.45864.david.marec@davenulle.org> In-Reply-To: <200810051642.45864.david.marec@davenulle.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Pf, ftp-proxy and proftp running into a jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 17:04:21 -0000 David Marec wrote: > hi, > > I am trying to get protftp running into a jail, avalaible from outside the > host. > > First, i wrote rules to redirect ftp traffic from ext_if to the jail and to > nat jailled traffic to ext_if. > After login, the data connection keeps being closed in passive mode; the > active mode is running well. > > then, i tried to use ftp-proxy, by adding the following entries into rc.conf: > ftpproxy_enable="yes" > ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if" > > and followed the tutorial i found on the openbsd website: > http://www.openbsd.org/faq/pf/ftp.html > > But, i can't even connect to the ftp server. > > What is the right way to use ftp-proxy ? Are you sure you need ftp-proxy? I have ProFTPd in jail on private IP bidirectional NATed by PF 1:1 to public IP with following rules: binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1 ## pass incoming in to jails (from outside world) ## The filter engine will see the IP packet as it looks after translation has taken place pass in on $ext_if inet proto tcp from any to $jail_addr_1 port $jail_tcp_1_inports ## pass in/out (both directions) on jail interface (operations inside jail) pass on $jail_if inet from $jail_addr_1 to $jail_addr_1 ## passive FTP transfer - highports - for FTP in Jail (must use MasqueradeAddress in proftpd.conf) pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 54000 >< 55000 keep state And in proftpd.conf I have: # If Jail has NATed local IP address MasqueradeAddress 1.2.3.4 PassivePorts 54000 55000 (1.2.3.4 is public IP address on which FTP will be accessible) You do not need 1:1 mapping, you can use NAT + RDR rules to redirect just some port range in to you jail. Miroslav Lachman