PF NAT and JAIL

For too long, I was searching for the answer as to why fetch, ftp and friends would not work within jail(8). Truly it was very frustrating. There was nothing wrong with creating jail(8) environments using ezjail. Although I had used ezjail-admin with the -f (flavor) it was never able to fetch the tarballs for the applications required for the jails.

The answer to the ftp/fetch problem was solved by just looking at /usr/share/examples/pf/pf.conf

All that was needed in simple terms was the following:

Code:
ext_if="ext0" <- your external NIC
int_if="int0" <- your internal NIC

set skip on lo

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

anchor "ftp-proxy/*"
block in
pass out

Then just add the rest of your inbound rules below the 'pass out' line.

Enable ftp-proxy in /etc/rc.conf
Code:
ftpproxy_enable="YES"
ftpproxy_flags=""

start ftp-proxy (# /etc/rc.d/ftp-proxy start)
reload your pf (# /etc/rc.d/pf reload)

As a side note, once the above PF configuration was done (and also incorporating our own PF rules below the pass out line as indicated above, running # ezjail-admin create -f web web140 192.168.1.140 followed by # ezjail-admin start web140 the jail(8) environment was built with all the packages I had added to my ezjail.flavour.

I do hope the above helps anyone else that encountered issues with FTP, FETCH and JAIL.
 
Offtopic:

I always remove the following line from the PF rules:
Code:
set skip on lo

Otherwise, jails can see each other (I mean that app in one jail can connect to another app in another jail -> less security). I always explicitly allow connections on a need-only basis. Just in case. It is never too much security...
 
I have two further questions:

- If you only have jails, not a real network behind the box, what does $int_if mean in this context? Something like lo1? But since there is "set skip on lo", setting $int_if = lo1 is useless, isn't it?

- why is "anchor ftp-proxy/*" before the general "pass in; block out" rules? As the rules for FTP are going to be "more specific" than those two, they should go after, shouldn't they?
 
Back
Top