Re: pf questions

Thu, 14 Jul 2005 17:59:28 -0700 

Sorry for the short question. No, actually one is one a wired network,
the other is on a wireless network both connected to the firewall. I'm
sending you my pf.conf. Check it out. The reason this is a problem is
because I keep getting a NAT error in Azureus when I test the port.

/etc/pf.conf

#       $OpenBSD: pf.conf,v 2.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
ext_if="dc1"
int_if="dc0"
wir_if="ral0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
auth_server = "127.0.0.1 port 8080"
table <authorized_hosts> { 10.0.0.3 }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all
scrub out all

# nat/rdr
nat on $ext_if from $int_if:network -> ($ext_if:0)
nat on $ext_if from $wir_if:network -> ($ext_if:0)
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $wir_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $wir_if proto tcp from !<authorized_hosts> to any port www -> \
    $auth_server
rdr on $ext_if proto tcp from any to any port 6881 -> $int_if
rdr on $ext_if proto tcp from any to any port 6881 -> $wir_if
rdr on $ext_if proto tcp from any to any port 8000 -> $int_if
rdr on $ext_if proto tcp from any to any port 8000 -> $wir_if


# filter rules
block in log all

pass quick on { lo $int_if }
pass quick on { lo $wir_if }
antispoof quick for { lo $int_if }
antispoof quick for { lo $wir_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass in on $wir_if from <authorized_hosts> to any keep state
pass in on $wir_if proto tcp from !<authorized_hosts> to $auth_server
pass out on $int_if from any to $int_if:network keep state
pass out on $wir_if from any to <authorized_hosts> keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state



I'd like to download bit torrent stuff at a high speed rate and also
have some pinging going on between my clients. Anything you see I
don't? Thanks.

Vivek

Reply via email to