forward packets to jail with pf

I have recently set up an ftp server in a jail. Everything works fine as long as my server's fw is off. I am unable to route the packets to the jail via my pf.conf. I have added an alias in my /etc/rc.conf to include for an ip mapped for the jail. Namely my rc.conf contains
Code:
ifconfig_vr0="192.168.0.101 netmask 255.255.255.0"
Code:
ifconfig_vr0_alias0="inet 192.168.0.102/32"

My server's pf.conf contains:
Code:
set skip on lo0
interface="vr0"
ftpJail="vr0_alias0"
scrub in all
block in on $interface
pass in on $interface proto tcp from any to $interface port 2222
pass in on $interface proto tcp from any to $interface port 80
pass in on $interface proto tcp from any to $interface port 6665
pass in on $ftpJail proto tcp from any to $ftpJail port 21
pass out on $ftpJail proto { tcp, udp, icmp } all
pass out on $interface proto { tcp, udp, icmp } all

My jail server's rc.conf contains:
Code:
ifconfig_vr0="192.168.0.102 netmask 255.255.255.0"

Any help would be great. Thanks
 
Code:
ftpJail="vr0_alias0"

This may be valid, though I've never seen it used ;)

As an alternative, try

Code:
ftpJail="vr0:1"

Use [cmd=]pfctl -sr[/cmd] to check how it looks in full detail.
 
That unfortunately did not work. It gave me an error in the pf.conf file that stated that there was no ip matched for vr0:1.
 
Try with the actual IP address instead of an interface definition? I think my vr0:1 was a bit misguided; just because vr:0 means 'the first IP address on the interface' doesn't mean that vr:1 means 'the first alias'. Would be nice though ;)
 
That did not work either... Any other possibilities? Perhaps a way to route the packets to the interface?
 
Code:
interface="vr0"
ftpJail="192.168.0.102"
pass in quick on $interface inet proto tcp from any to $ftpJail port 21 flags S/SA keep state

This doesn't work? Specific FTP settings aside (active/passive, it's always a hassle), the connection should be possible.
 
DD,

Thanks for the reply, I will try that rule when I get home from work tonight. You are right about the pain...I wish I had a better understanding of the rule sets, I need to read up on them more. Just hoping for a quick fix for now while I struggle to find time later to learn more in detail. Would you recommend I start off using only that rule to check if everything works, and then implement the rest of my pf rules, or just try them all in conjuction?
 
It's usually better to gradually add to your ruleset, and to put a 'log' statement on your first block rule (run tcpdump(1) on the pflog0 interface to see what gets caught).
 
That did not work either, I will debug a little over the next couple days and see what I can find...unfortunately I dont have a lot of time to do so. I will post back when I have some more information or ideas however.
 
I got 3 jails web server running Apache, load balance by PF

webserver="{192.168.1.2, 192.168.1.3, 192.168.1.4}"

maybe you should use the IP :)

or perhaps using rdr

example :
Code:
rdr pass on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
 
That did it! I substituted the jail's ip in for 127.0.0.1 and changed the port but that was it, thanks so much!
 
pf.conf with multiple ip addresses on one interface

here is another solution that works even if you have jails using the same ports (so portforwarding is not an option)

I use an alias for re0
Code:
ifconfig re0 192.168.1.1/24
ifconfig re0 192.168.1.2/32 alias
on both ips (one is actually a jail) a sshd is listening so portforwading is useless here.

this pf.conf solved my problem
Code:
ext_if="re0"
#define main ip and services running on it
main_ip="192.168.1.1"
main_svc_ext="{22}"

#define jail ips and services running on them
jail_forum_if="re0:1"
jail_forum_ip="192.168.1.2"
jail_forum_svc_ext="{443 22}"

#block all traffic
block in log on $ext_if

#let traffic get out
pass out on $ext_if
pass out on $jail_forum_if

#define main services
pass in on $ext_if proto tcp from any to $main_ip port $main_svc_ext

#define jails
pass in on $ext_if proto tcp from any to $jail_forum_ip port $jail_forum_svc_ext

#allow pings
pass in inet proto icmp all icmp-type echoreq
pass out inet proto icmp all

i hope this helps
 
Back
Top