Re: binat question

Tue, 13 May 2008 10:42:21 -0700 

Karl O. Pinc wrote:


On 05/12/2008 04:32:05 PM, Christer Solskogen wrote:

If I do not use the binat-rule, connecting to games (in CoH) will not 
work. But CoH also seems to be the only game with that kind of problem.



If I am not mistaken, using a binat-rule also makes my machine 
vurnable for other stuff. I am under the impression that the ports I 
define in the rdr rules are wrong (which means the documentation for 
CoH is wrong)


Based on your previous post you are using an RFC1918 address
space inside your LAN.  Unless you NAT your traffic it will
not route on the Internet.  I suggest you read up on
networking and what NAT does.



Oh, I have a NAT. And that works perfectly. I just snipped that 
information out from pf.conf. I only included stuff that I think is 
relevant.



"The Book of PF" might be good.  It will surely teach
you about pf.  I've not read it yet so don't know
how much basic networking is explained.




Take a look at the first few pages and you'll notice my name there as 
well :)


This is my full pf.conf:

int_if = "rl0"
ext_if = "rl1"
localnet = $int_if:network
server = "192.168.0.3"

serverports = "{ http, https, smtp, ssh, imaps, domain,ftp , 6950:6999 
60000:65534}"

CoH_ports = "{ 6112 , 9100 , 30260 }"

funshine = "192.168.0.12"

set skip on lo0
set loginterface $ext_if
set block-policy return
set require-order yes
set optimization normal
scrub in all

nat on $ext_if from $localnet to any -> ($ext_if)


rdr pass log on $ext_if proto { tcp, udp } from any to $ext_if port 
$serverports -> $server



rdr pass log on $ext_if proto tcp from any to $ext_if port 1500:1550 
-> $funshine
rdr pass log on $ext_if proto udp  from any to $ext_if port $CoH_ports 
-> $funshine

binat on $ext_if from $funshine to any -> 85.200.10.151


rdr on $int_if proto { tcp, udp } from $localnet to $ext_if port 
$serverports -> $server

no nat on $int_if proto { tcp,udp } from $int_if to $localnet

nat on $int_if proto { tcp, udp } from $localnet to $server port 
$serverports -> $int_if


nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
antispoof log for $ext_if inet
antispoof log for $int_if inet

block in log on $ext_if all

anchor "ftp-proxy/*"

table <bruteforce> persist
block log quick from <bruteforce>

pass inet proto tcp from any to $localnet port { ssh, ftp } \
        flags S/SA keep state \
        (max-src-conn 10, max-src-conn-rate 10/5, \
        overload <bruteforce> flush global)

pass inet proto icmp from any to any
pass inet proto tcp from any to $ext_if port auth
pass in on $ext_if proto tcp from any to $ext_if port 2222
pass out all



--
chs






















					Reply via email to