ftp from jails using a proxy

[Geoff Roberts]

Hi,

I am using FreeBSD 7.0.

I have a server with a single network interface - ext0.

On this server I have a number of jails attached to a pseudo network 
interface - lo1. lo1 has the following IP address range: 10.1.1.0/24

(ifconfig create lo1)

I also have jails attached to the external interface ext0

I would like to be able to ftp from the jails on the pseudo interface (lo1) as 
well as the external interface (ext). For a range of reasons I want to avoid 
a pass  out  all option on the external interface ext0.

I therefore tried using ftp-proxy. However, I can never get the redirect to 
connect to ftp-proxy in the pf rules, no matter which interface or address I 
place it on.

I'm beginning to think that redirects to ftp-proxy will only work when there 
is incoming traffic on a separate physical interface. Redirecting from a 
pseudo interface doesn't seem to work.

See notes below for configuration.

How would you suggest I get this working? Is there are a better way to set 
this up?

I'd prefer to use passive ftp if possible.

Notes on ftp-proxy configuration
====================

I can verify the fact ftp is not be redirected via the proxy by running the 
proxy in debug:

ftp-proxy -d -D 7 -b (ext0)

where (ext0) is the external IP address

I never get any connections logged by the proxy.

I can't use 127.0.0.1 as jails can't connect to this address.

In my pf rules I have

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on ext0 proto tcp from any to any port 21 -> (ext0) port 8021
rdr on lo1 proto tcp from any to any port 21 -> (ext0) port 8021

anchor "ftp-proxy/*"
pass out log proto tcp from any to any port 21 label "FTP -- ACCEPT "

Kind regards,

Geoff