El Jueves, 22 de Diciembre de 2005 13:37, escribis:
> Hi,
>
> I would like to load/unload an "emule" anchor when needed.
> Unfortunately it does not work as expected as ort tcp 4662 traffic coming
> back to my router is still blocked.
> Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0:
> 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0:
> 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0:
> 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0:
> 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF)
>
> May be I misunderstood the anchors manual, but I honestly don't know what
> is wrong. I would really appreciate if you can help me on this issue.
>
> Why is the traffic still blocked via this rule "block log (all) all",
> shoudn't it pass through as the anchor rules allow the traffic?
>
> Here is my pf.conf:
> # VARIABLES SECTION #
> int_if="sis0"
> ext_if="pppoe0"
> localnet="172.16.43.0/24"
> outftp="53000:53450"
>
> icmp_types="echoreq"
> icmp_types = "echoreq"
>
> # TABLES SECTION #
> table <friends> {x,y}
> table <hostile> persist
>
> # OPTIONS SECTION #
> set block-policy drop
> set loginterface $ext_if
>
> # SCRUBBING SECTION #
> scrub in on $ext_if all
> scrub out on $ext_if max-mss 1440
>
> # NAT SECTION #
> nat on $ext_if from $localnet to any -> ($ext_if) static-port
>
> # REDIRECTION #
> rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
> -> 127.0.0.1 port ftp-proxy
> rdr on $int_if proto tcp from $localnet to $int_if port ssh \
> -> $int_if port 8022
>
> rdr-anchor "authpf/*"
> rdr-anchor emule
>
This rdr-anchor is ok
> #pass quick all
> block quick from <hostile>
> block quick inet6 all
but here you are blocking the emule traffic
You should put here this:
anchor emule
anchor "authpf/*"
and not below
> block log (all) all
>
> #loopback and internal interface are ok
> pass quick on lo0 all
> pass quick on $int_if all
>
> #### EXTERNAL INTERFACE ####
> pass out on $ext_if inet proto tcp from ($ext_if) to any \
> flags S/SA modulate state
> pass out on $ext_if inet proto udp from ($ext_if) to any \
> keep state
> pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
> port > 1023 user proxy modulate state label ftpproxy
> pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
> anchor emule
> anchor "authpf/*"
>
> END OF PF RULE
>
> Here is my emule anchor (/etc/emule.pf):
> ext_if = "pppoe0"
> MuleIP= "172.16.43.10"
> localnet= "172.16.43.0/24"
> InMuleTCP = "{ 4661, 4662 }"
> InMuleUDP = "{ 4665, 4672 }"
>
> rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 -> $MuleIP
> port 4661:*
> rdr on $ext_if proto udp from !$localnet to any port 4665 -> $MuleIP port
> 4665 rdr on $ext_if proto udp from !$localnet to any port 4672 -> $MuleIP
> port 4672
>
> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
> $InMuleTCP\ flags S/SA keep state label eMuleTCP
> pass in quick on $ext_if inet proto udp from any to ($ext_if) port
> $InMuleUDP\ keep state label eMuleUDP
>
> END OF EMULE ANCHOR
>
> The anchor is loaded when I need it via:
> pfctl -v -a emule -f /etc/emule.pf
> and unloaded
> pfctl -v -a emule -Fa -sn && pfctl -v -a emule -Fa -sr
>
> THX A LOT FOR HELPING
--
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591
Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax: 91 300 28 13
http://www.openwired.com
