# ftp-proxy on jails on lo1



## solskogen (Mar 14, 2010)

I've been setting up my jails on a cloned interface called lo1 (127.0.1.0/24) - and it seems jails are having bit of a problem using ftp in passive mode even when I think I've set things up correctly. The only jail that is not on lo1 (192.168.0.4) is not having any issues connecting to a ftp server.

pf.conf:

```
int_if="em0"
jif="lo1"
db1="127.0.1.1"
web="127.0.1.2"
proxy="127.0.1.3"
imap="127.0.1.6"
tomcat="127.0.1.8"
ns="192.168.0.4"
postgres="127.0.1.9"

nat on $int_if from $jif:network to any -> ($int_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#redirects to jails

rdr pass on $int_if proto tcp from any to any port 8180 -> $tomcat
rdr pass on { $int_if, lo0 } proto tcp from any to any port { 80, 443, 993 } -> $proxy
rdr pass on $int_if proto { tcp, udp } from any to ($int_if) port domain -> $ns
rdr pass on $int_if proto tcp from any to ($int_if) port 5432 -> $postgres

anchor "ftp-proxy/*"
pass all keep state
anchor "ftp-proxy/*"
```

and ftp-proxy is really running:

```
shine# sockstat -4 | grep ftp
proxy    ftp-proxy  94980 3  tcp4   127.0.0.1:8021        *:*
```

Any clues?


----------



## hedon (Mar 15, 2010)

I have exactly the same problemn:

rc.conf

```
cloned_interfaces="lo1"
ifconfig_lo1="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 192.168.0.2 netmask 255.255.255.255"
ifconfig_lo1_alias1="inet 192.168.0.3 netmask 255.255.255.255"
ifconfig_lo1_alias2="inet 192.168.0.4 netmask 255.255.255.255"
ifconfig_lo1_alias3="inet 192.168.0.5 netmask 255.255.255.255"
```

pf.conf

```
#### First declare a couple of variables ####
# outgoing services
tcp_services = "{ ssh, smtp, smtps, imap, imaps, pop3, pop3s, 587, domain, http, https, 20, 22, ntp, 43, ftp, ftp-data, snmp }"

udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

#### define tables. add all subnets and ips to block
table <ban> persist file "/etc/pf.block.ip.conf"

#connected to internet
ext_if = "bge0"
ext_ip = "XXX.XXX.XXX.XXX"
int_if = "lo1"
int_ip = "192.168.0.0/24"

#### Normalization
scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

#### NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Redirect ftp traffic to proxy
rdr pass on $int_if proto tcp from $int_ip to any port ftp -> 127.0.0.1 port 8021

#### Start filtering
# Drop incoming everything
block in all
.
# Default connection refused message to client
block return

# keep stats of outging connections
pass out keep state

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from port {20, 21} to ($ext_if) user proxy flags S/SA keep state.

# Unlimited traffic for lo0 and lo1 jails
set skip on {lo0, lo1}

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if

#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians

#Block all ips
#pfctl -t ban -T show
block drop in log (all) quick on $ext_if from <ban> to any

# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services

# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state


#Open Connections from the Internet
pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to any port 60000 >< 65535 flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to any port ssh keep state
pass in quick on $ext_if proto tcp from any to any port { smtp smtps 587 pop3 pop3s imap imaps} flags S/SA synproxy state
pass in quick on $ext_if proto udp from any to any port snmp
pass in quick on $ext_if proto udp from any to any port domain
pass in quick on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to any port { https http } flags S/SA synproxy state

#pass in quick on $ext_if proto tcp from any to any port = 3690 keep state   # SVN and CVS

pass inet proto icmp all icmp-type $icmp_types keep state
```


```
[root@eden]# sockstat -4 | grep ftp
proxy    ftp-proxy  1533  3  tcp4   127.0.0.1:8021        *:*
nobody   proftpd    1130  0  tcp4   *:21                  *:*
```

Created by ezjail


```
jls
   JID  IP Address      Hostname                      Path
     3  192.168.0.3     pdns                          /usr/jails/pdns
     4  192.168.0.2     apache                        /usr/jails/apache
```


```
pdns# ftp
ftp> o
(to) ftp.freebsd.org
Trying 204.152.184.73...
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||23344|).
425 Security: Bad IP connecting.
ftp>
```

Have any suggestions ?


----------



## solskogen (Mar 25, 2010)

Mine works now, but I dont know why. This is my pf.conf:

```
##########
# Macros #
##########
if=             em0     
jif=            lo1
loopback=       lo0
jnet=           $jif:network

jailhost=       192.168.0.3

#jails 
brave=          127.0.1.1       #mail
bright=         127.0.1.2       #apache
cozy=           127.0.1.3       #proxy
gentle=         127.0.1.4       #mysql
lotsa=          127.0.1.5       #files = samba
loyal=          127.0.1.6       #builder
noble=          127.0.1.7       #not-in-use
playful=        127.0.1.8       #not-in-use
proud=          127.0.1.9       #not-in-use
swift=          127.0.1.10      #not-in-use
treat=          127.0.1.11      #not-in-use

#aliases
mail=           $brave
apache=         $bright
proxy=          $cozy
mysql=          $gentle
files=          $lotsa
builder=        $loyal

#############
# NAT Rules #
#############
#grant only some jails internet access but not to the internal network
# wordpress updates somewhat automaticly it needs internet for that
# spamassasin and clam downloads updated online 
#nat on $if from { $apache, $mail } to { !$if:network, any } -> ($if)
nat on $if from { $apache, $mail, $builder } to { any } -> ($if)

#Redirect traffic to the correct jail
rdr pass on $if inet proto tcp from any to ($if) port { http, https, imaps } -> $proxy #varnish for http and stunnel for https and imaps
rdr pass on $if inet proto tcp from any to ($if) port { smtp } -> $mail 

#we dont want the jails to be able to connect to anything without permission
block on $jif
block on $loopback from $jnet

pass on $loopback from $jnet to 127.0.0.1

#pass dns queries from jails to dns server on jailhost
pass on $loopback proto { udp } from $jnet to $jailhost port domain

#let jails connect to them self and at the same time pass traffic from jailhost 
pass on $jif from $mail to $mail
pass on $jif from $apache to $apache
pass on $jif from $proxy to $proxy
pass on $jif from $mysql to $mysql
pass on $jif from $files to $files
pass on $jif from $builder to $builder

# not-in-use
pass on $jif from $noble to $noble
pass on $jif from $playful to $playful
pass on $jif from $proud to $proud
pass on $jif from $swift to $swift
pass on $jif from $treat to $treat

# the proxy server needs to be able to talk to apache and dovecot 
pass on $jif proto tcp from $proxy to $apache port www
pass on $jif proto tcp from $proxy to $mail port imap

# apache needs to be able to connect to mysql and mail
pass on $jif proto tcp from $apache to $mysql port 3306
pass on $jif proto tcp from $apache to $mail port imap 

# jails needs to be able to send mail
pass on $jif proto tcp from $jnet to $mail port smtp
```

No ftp-proxy.


----------



## SirDice (Mar 25, 2010)

You can't connect to or bind a service on 127.0.0.1 inside a jail.


----------

