How to setup pf to be able to access a natted ftp server inside a jail


January 2013.

Situation


You have a proftpd installation inside a FreeBSD jail. Your jails are using an internal IP address and are behind a natted WAN IP address. When entering passive mode, nothing works.

Configuration



/usr/local/etc/proftpd.conf (in the jail)

MasqueradeAddress 198.51.100.42
PassivePorts 54000 55000

/etc/pf.conf (on the host)

#NAT from jail -> WAN
nat pass on $wan_if from $jail_addr to any -> $wan_addr

#Redirect good ol' 21
rdr pass on $wan_if proto tcp from any to $wan_addr port 21 -> $jail_addr port 21
#Redirect passive ports
rdr pass on $wan_if proto tcp from any to $wan_addr port 54000:55000 -> $jail_addr port 54000:*