FTP-Server in Jail with FreeBSD 10

[bjoerns]

Hello,

I spent 2 days reading different manuals, documentation and howto, but I'm not able to configure pf to forward active ftp transmissions to a ftpd() in a jail.
Yes, I now FTP is outdated, but I have to provide an FTP-upload possibility to get some files I need. And the other side seems to be restricted to active mode.

Here is my current configuration:

• external interface 144.76.37.181 on re0
• ftp server in jail 10.0.0.5 on lo1
• ftp proxy on host 10.0.0.1 on lo1

Network and Jail specific lines in /etc/rc.config

ifconfig_re0="inet 144.76.37.181 netmask 255.255.255.224"
gateway_enable="YES"
defaultrouter="144.76.37.161"

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.1/32"
ifconfig_lo1_alias0="inet 10.0.0.2/32"
ifconfig_lo1_alias1="inet 10.0.0.3/32"
ifconfig_lo1_alias2="inet 10.0.0.4/32"
ifconfig_lo1_alias3="inet 10.0.0.5/32"

ftpproxy_enable="YES"
ftpproxy_flags="-b 10.0.0.1 -p 8021 -R 10.0.0.5 -P 21"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

ezjail_enable="YES"

Here my reduced /etc/pf.conf

EXT_IF = "re0"
JAIL_NET = "lo1:network"

nat-anchor "ftp-proxy/*"
nat on $EXT_IF from $JAIL_NET to any -> $EXT_IF
rdr-anchor "ftp-proxy/*"
rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 21 -> 10.0.0.1 port 8021

block all
set skip on lo0
set skip on lo1
anchor "ftp-proxy/*"

## I tried those (made no difference), but I thing ftp-proxy should take care of this:
# pass in on lo1 proto tcp from any to any port { 21, >1024 }
# pass out proto tcp from any to any port { 21, >1024 }

To debug what is going on I started ftpd() in the jail

/usr/libexec/ftpd -Dlld

and the ftp-proxy() on the host from console:

`--> sudo ftp-proxy -d -R 10.0.0.5 -b 10.0.0.1 -D7 -vv
using fixed server 10.0.0.5
listening on 10.0.0.1 port 8021
#1 accepted connection from 37.24.79.224
#1 FTP session 1/100 started: client 37.24.79.224 to server 10.0.0.5 via proxy 10.0.0.5 
#1 server: 220 otr FTP server (Version 6.00LS) ready.\r\n
#1 client: USER otrfiles\r\n
#1 server: 331 Password required for otrfiles.\r\n
#1 client: PASS xxxxxxxxx\r\n
#1 server: 230 User otrfiles logged in, access restrictions apply.\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX Type: L8 Version: BSD-199506\r\n
#1 client: PASV\r\n
#1 server: 227 Entering Passive Mode (10,0,0,5,216,42)\r\n
#1 passive: client to server port 55338 via port 53353
#1 proxy: 227 Entering Passive Mode (144,76,37,181,208,105)\r\n
#1 client: LIST\r\n
#1 server: 150 Opening ASCII mode data connection for '/bin/ls'.\r\n
#1 server: 226 Transfer complete.\r\n
#1 client: PORT 37,24,79,224,145,237\r\n
#1 proxy: PORT 10,0,0,5,248,90\r\n
#1 active: server to client port 37357 via port 63578
#1 server: 200 PORT command successful.\r\n
#1 client: LIST\r\n
#1 server: 425 Can't build data connection: Connection refused.\r\n

Here is the output of cat /var/log/debug.log from the jail:

May 18 10:13:06 otr ftpd[11108]: <--- 220 
May 18 10:13:06 otr ftpd[11108]: otr FTP server (Version 6.00LS) ready.
May 18 10:13:06 otr ftpd[11108]: command: USER otrfiles
May 18 10:13:06 otr ftpd[11108]: <--- 331 
May 18 10:13:06 otr ftpd[11108]: Password required for otrfiles.
May 18 10:13:06 otr ftpd[11108]: command: PASS  ???
May 18 10:13:06 otr ftpd[11108]: <--- 230 
May 18 10:13:06 otr ftpd[11108]: User otrfiles logged in, access restrictions apply.
May 18 10:13:06 otr ftpd[11108]: command: SYST
May 18 10:13:06 otr ftpd[11108]: <--- 215 
May 18 10:13:06 otr ftpd[11108]: UNIX Type: L8 Version: BSD-199506
May 18 10:13:12 otr ftpd[11108]: command: PASV
May 18 10:13:12 otr ftpd[11108]: <--- 227 
May 18 10:13:12 otr ftpd[11108]: Entering Passive Mode (10,0,0,5,216,42)
May 18 10:13:12 otr ftpd[11108]: command: LIST
May 18 10:13:12 otr ftpd[11108]: <--- 150 
May 18 10:13:12 otr ftpd[11108]: Opening ASCII mode data connection for '/bin/ls'.
May 18 10:13:12 otr ftpd[11108]: <--- 226 
May 18 10:13:12 otr ftpd[11108]: Transfer complete.
May 18 10:13:16 otr ftpd[11108]: command: PORT 10,0,0,5,248,90
May 18 10:13:16 otr ftpd[11108]: <--- 200 
May 18 10:13:16 otr ftpd[11108]: PORT command successful.
May 18 10:13:16 otr ftpd[11108]: command: LIST
May 18 10:13:16 otr ftpd[11108]: <--- 425 
May 18 10:13:16 otr ftpd[11108]: Can't build data connection: Connection refused.
May 18 10:13:19 otr ftpd[11108]: command: QUIT
May 18 10:13:19 otr ftpd[11108]: <--- 221 
May 18 10:13:19 otr ftpd[11108]: Goodbye.

As you can see, passive transfer is working, but I can not make active mode work. :\

Here are a few more details from pfctl():

`--> sudo pfctl -vv -s nat                    
No ALTQ support in kernel
ALTQ related functions disabled
@0 nat-anchor "ftp-proxy/*" all
  [ Evaluations: 29        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@1 nat on re0 inet from 10.0.0.0/24 to any -> 144.76.37.181
  [ Evaluations: 29        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@2 nat on re0 inet from 10.0.0.2 to any -> 144.76.37.181
  [ Evaluations: 23        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@3 nat on re0 inet from 10.0.0.3 to any -> 144.76.37.181
  [ Evaluations: 23        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@4 nat on re0 inet from 10.0.0.4 to any -> 144.76.37.181
  [ Evaluations: 23        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@5 nat on re0 inet from 10.0.0.5 to any -> 144.76.37.181
  [ Evaluations: 23        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@0 rdr-anchor "ftp-proxy/*" all
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@1 rdr pass on re0 inet proto tcp from any to 144.76.37.181 port = ftp -> 10.0.0.1 port 8021
  [ Evaluations: 1         Packets: 27        Bytes: 1896        States: 1     ]
  [ Inserted: uid 0 pid 10748 State Creations: 1     ]

`--> sudo pfctl -vv -s rules
No ALTQ support in kernel
ALTQ related functions disabled
@0 block drop all
  [ Evaluations: 35        Packets: 34        Bytes: 2530        States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]
@1 anchor "ftp-proxy/*" all
  [ Evaluations: 35        Packets: 10        Bytes: 2933        States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 1     ]
@2 pass in on re0 proto tcp from any to any port = cvspserver flags S/SA keep state
  [ Evaluations: 34        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10748 State Creations: 0     ]


`--> sudo pfctl -vv -s Anchors                    
No ALTQ support in kernel
ALTQ related functions disabled
  ftp-proxy
  ftp-proxy/10761.1


`--> sudo pfctl -vv -a ftp-proxy/10761.1 -s rules
No ALTQ support in kernel
ALTQ related functions disabled
@0 pass in log (all) quick inet proto tcp from 10.0.0.5 to 37.24.79.224 port = 37357 flags S/SA keep state (max 1) rtable 0
  [ Evaluations: 31        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 62 pid 10761 State Creations: 0     ]
@1 pass out log (all) quick inet proto tcp from 144.76.37.181 to 37.24.79.224 port = 37357 flags S/SA keep state (max 1) rtable 0
  [ Evaluations: 31        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 62 pid 10761 State Creations: 0     ]

Is ftp-proxy() the right way to redirect the FTP traffic to the jail? What am I doing wrong? I am a bit frustrated :q

Best regards,
Björn

 

[bjoerns]

Sorry, if my last post was too long or had too many details. I am sure that something is missing. Can someone push me in the right direction on how to debug and investigate the problem?