How to setup pf to be able to access a natted ftp server inside a jail
January 2013.
Situation
You have a proftpd installation inside a FreeBSD jail. Your jails are using an internal IP address and are behind a natted WAN IP address. When entering passive mode, nothing works.
Configuration
- WAN IP: 198.51.100.42
- Jail IP: 10.0.0.14
/usr/local/etc/proftpd.conf (in the jail)
MasqueradeAddress 198.51.100.42
PassivePorts 54000 55000
/etc/pf.conf (on the host)
#NAT from jail -> WAN
nat pass on $wan_if from $jail_addr to any -> $wan_addr
#Redirect good ol' 21
rdr pass on $wan_if proto tcp from any to $wan_addr port 21 -> $jail_addr port 21
#Redirect passive ports
rdr pass on $wan_if proto tcp from any to $wan_addr port 54000:55000 -> $jail_addr port 54000:*