[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pf, ftp-proxy and proftp running into a jail

To: David Marec <david_(_dot_)_marec_(_at_)_davenulle_(_dot_)_org>
Subject: Re: Pf, ftp-proxy and proftp running into a jail
From: Miroslav Lachman <000_(_dot_)_fbsd_(_at_)_quip_(_dot_)_cz>
Date: Sun, 05 Oct 2008 18:48:19 +0200
Cc: freebsd-pf_(_at_)_freebsd_(_dot_)_org

David Marec wrote:

hi,
I am trying to get protftp running into a jail, avalaible from outside thehost.
First, i wrote rules to redirect ftp traffic from ext_if to the jail and tonat jailled traffic to ext_if.After login, the data connection keeps being closed in passive mode; theactive mode is running well.
then, i tried to use ftp-proxy, by adding the following entries into rc.conf:
 ftpproxy_enable="yes"
 ftpproxy_flags="-vv -R ftp.server.address -p 21 -b ext.if"

and followed the tutorial i found on the openbsd website:
http://www.openbsd.org/faq/pf/ftp.html

But, i can't even connect to the ftp server.

What is the right way to use ftp-proxy ?


Are you sure you need ftp-proxy?

I have ProFTPd in jail on private IP bidirectional NATed by PF 1:1 topublic IP with following rules:


binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1

## pass incoming in to jails (from outside world)

## The filter engine will see the IP packet as it looks aftertranslation has taken placepass in on $ext_if inet proto tcp from any to $jail_addr_1 port$jail_tcp_1_inports


## pass in/out (both directions) on jail interface (operations inside jail)
pass on $jail_if inet from $jail_addr_1 to $jail_addr_1

## passive FTP transfer - highports - for FTP in Jail (must useMasqueradeAddress in proftpd.conf)pass in on $ext_if inet proto tcp from any to $jail_addr_1 port 54000 ><55000 keep state



And in proftpd.conf I have:

# If Jail has NATed local IP address
MasqueradeAddress       1.2.3.4
PassivePorts            54000 55000

(1.2.3.4 is public IP address on which FTP will be accessible)

You do not need 1:1 mapping, you can use NAT + RDR rules to redirectjust some port range in to you jail.


Miroslav Lachman
_______________________________________________
freebsd-pf_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe_(_at_)_freebsd_(_dot_)_org"

References:
- Pf, ftp-proxy and proftp running into a jail
  - From: David Marec

Prev by Date: Pf, ftp-proxy and proftp running into a jail
Next by Date: Current problem reports assigned to freebsd-pf_(_at_)_FreeBSD_(_dot_)_org
Previous by thread: Pf, ftp-proxy and proftp running into a jail
Next by thread: Current problem reports assigned to freebsd-pf_(_at_)_FreeBSD_(_dot_)_org
Index(es):
- Date
- Thread

Visit your host, monkey.org