# forward packets to jail with pf



## z662 (Feb 15, 2010)

I have recently set up an ftp server in a jail.  Everything works fine as long as my server's fw is off.  I am unable to route the packets to the jail via my pf.conf.  I have added an alias in my /etc/rc.conf to include for an ip mapped for the jail.  Namely my rc.conf contains 
	
	



```
ifconfig_vr0="192.168.0.101 netmask 255.255.255.0"
```


```
ifconfig_vr0_alias0="inet 192.168.0.102/32"
```

My server's pf.conf contains: 
	
	



```
set skip on lo0
interface="vr0"
ftpJail="vr0_alias0"
scrub in all
block in on $interface
pass in on $interface proto tcp from any to $interface port 2222
pass in on $interface proto tcp from any to $interface port 80
pass in on $interface proto tcp from any to $interface port 6665
pass in on $ftpJail proto tcp from any to $ftpJail port 21
pass out on $ftpJail proto { tcp, udp, icmp } all
pass out on $interface proto { tcp, udp, icmp } all
```

My jail server's rc.conf contains: 
	
	



```
ifconfig_vr0="192.168.0.102 netmask 255.255.255.0"
```

Any help would be great.  Thanks


----------



## DutchDaemon (Feb 15, 2010)

```
ftpJail="vr0_alias0"
```

This may be valid, though I've never seen it used 

As an alternative, try


```
ftpJail="vr0:1"
```

Use [cmd=]pfctl -sr[/cmd] to check how it looks in full detail.


----------



## z662 (Feb 16, 2010)

That unfortunately did not work.  It gave me an error in the pf.conf file that stated that there was no ip matched for vr0:1.


----------



## DutchDaemon (Feb 16, 2010)

Try with the actual IP address instead of an interface definition? I think my vr0:1 was a bit misguided; just because vr:0 means 'the first IP address on the interface' doesn't mean that vr:1 means 'the first alias'. Would be nice though


----------



## z662 (Feb 16, 2010)

That did not work either... Any other possibilities?  Perhaps a way to route the packets to the interface?


----------



## DutchDaemon (Feb 16, 2010)

```
interface="vr0"
ftpJail="192.168.0.102"
pass in quick on $interface inet proto tcp from any to $ftpJail port 21 flags S/SA keep state
```

This doesn't work? Specific FTP settings aside (active/passive, it's always a hassle), the connection should be possible.


----------



## z662 (Feb 16, 2010)

DD,

Thanks for the reply, I will try that rule when I get home from work tonight.  You are right about the pain...I wish I had a better understanding of the rule sets, I need to read up on them more.  Just hoping for a quick fix for now while I struggle to find time later to learn more in detail.  Would you recommend I start off using only that rule to check if everything works, and then implement the rest of my pf rules, or just try them all in conjuction?


----------



## DutchDaemon (Feb 16, 2010)

It's usually better to gradually add to your ruleset, and to put a 'log' statement on your first block rule (run tcpdump(1) on the pflog0 interface to see what gets caught).


----------



## z662 (Feb 16, 2010)

That did not work either, I will debug a little over the next couple days and see what I can find...unfortunately I dont  have a lot of time to do so.  I will post back when I have some more information or ideas however.


----------



## FryShadow (Feb 17, 2010)

I got 3 jails web server running Apache, load balance by PF 

webserver="{192.168.1.2, 192.168.1.3, 192.168.1.4}"

maybe you should use the IP 

or perhaps using rdr

example :

```
rdr pass on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
```


----------



## z662 (Feb 18, 2010)

That did it!  I substituted the jail's ip in for 127.0.0.1 and changed the port but that was it, thanks so much!


----------



## FryShadow (Feb 18, 2010)

Good for you z662!


----------



## sahne (Feb 26, 2010)

*pf.conf with multiple ip addresses on one interface*

here is another solution that works even if you have jails using the same ports (so portforwarding is not an option)

I use an alias for re0

```
ifconfig re0 192.168.1.1/24
ifconfig re0 192.168.1.2/32 alias
```
on both ips (one is actually a jail) a sshd is listening so portforwading is useless here.

this pf.conf solved my problem

```
ext_if="re0"
#define main ip and services running on it
main_ip="192.168.1.1"
main_svc_ext="{22}"

#define jail ips and services running on them
jail_forum_if="re0:1"
jail_forum_ip="192.168.1.2"
jail_forum_svc_ext="{443 22}"

#block all traffic
block in log on $ext_if

#let traffic get out
pass out on $ext_if
pass out on $jail_forum_if

#define main services
pass in on $ext_if proto tcp from any to $main_ip port $main_svc_ext

#define jails
pass in on $ext_if proto tcp from any to $jail_forum_ip port $jail_forum_svc_ext

#allow pings
pass in inet proto icmp all icmp-type echoreq
pass out inet proto icmp all
```

i hope this helps


----------

