For too long, I was searching for the answer as to why fetch, ftp and friends would not work within jail(8). Truly it was very frustrating. There was nothing wrong with creating jail(8) environments using ezjail. Although I had used ezjail-admin with the -f (flavor) it was never able to fetch the tarballs for the applications required for the jails.
The answer to the ftp/fetch problem was solved by just looking at /usr/share/examples/pf/pf.conf
All that was needed in simple terms was the following:
Then just add the rest of your inbound rules below the 'pass out' line.
Enable ftp-proxy in /etc/rc.conf
start ftp-proxy (# /etc/rc.d/ftp-proxy start)
reload your pf (# /etc/rc.d/pf reload)
As a side note, once the above PF configuration was done (and also incorporating our own PF rules below the pass out line as indicated above, running
I do hope the above helps anyone else that encountered issues with FTP, FETCH and JAIL.
The answer to the ftp/fetch problem was solved by just looking at /usr/share/examples/pf/pf.conf
All that was needed in simple terms was the following:
Code:
ext_if="ext0" <- your external NIC
int_if="int0" <- your internal NIC
set skip on lo
scrub in
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
block in
pass out
Then just add the rest of your inbound rules below the 'pass out' line.
Enable ftp-proxy in /etc/rc.conf
Code:
ftpproxy_enable="YES"
ftpproxy_flags=""
start ftp-proxy (# /etc/rc.d/ftp-proxy start)
reload your pf (# /etc/rc.d/pf reload)
As a side note, once the above PF configuration was done (and also incorporating our own PF rules below the pass out line as indicated above, running
# ezjail-admin create -f web web140 192.168.1.140
followed by # ezjail-admin start web140
the jail(8) environment was built with all the packages I had added to my ezjail.flavour. I do hope the above helps anyone else that encountered issues with FTP, FETCH and JAIL.