Laurent Cheylus wrote: > Hi, > > extract from my pf.conf to allow redirection and incoming connections from > Emule clients to an internal LAN computer (192.169.0.100) : > > $EXT is my external interface (connected to my ISP) : > > # Redirect TCP/4662 and UDP/4672 for Emule on 192.168.0.100 > rdr on $EXT proto tcp from any to any port 4662 -> 192.168.0.100 port 4662 > rdr on $EXT proto udp from any to any port 4672 -> 192.168.0.100 port 4672 > > # Allow ports UDP/4672, TCP/4662 for EDonkey > pass in on $EXT inet proto tcp from any to 192.168.0.100 port = 4662 keep > state > pass in on $EXT inet proto udp from any to 192.168.0.100 port = 4672 keep > state > > With this conf, I have Emule high ID on every server :-)
Well, I think I have comparable redirect and filter rules. rdr pass on $EXT proto tcp from any to any port 4661 -> 192.168.0.20 rdr pass on $EXT proto tcp from any to any port 4662 -> 192.168.0.20 rdr pass on $EXT proto udp from any to any port 4665 -> 192.168.0.20 rdr pass on $EXT proto udp from any to any port 4672 -> 192.168.0.20 The "pass" in the redirect rules should bypass every filter rule, shouldn't it? From inside LAN to outside world everything is natted with: nat on tun0 inet from 192.168.0.0/25 to any -> (tun0) Everything else is blocked. Two on tun0 logged Syn packets which are blocked and shouldn't: 00:30:19.416779 38.119.96.62.39676 > angus.tower-net.all.4662: S 3084810608:3084810608(0) win 5840 <mss 1452> (DF) 01:07:50.127188 64.246.54.138.40306 > angus.tower-net.all.4662: S 9741768:9741768(0) win 5840 <mss 1452,sackOK,timestamp[|tcp]> (DF) [tos 0x10] angus.tower-net.all = 192.168.0.20 I have solved my problem... I think you guys do not block the router from your internal LAN and the router to your internal LAN. I do. For that you have to know that the redirect passes on $EXT are not passed up to the interface for 192.168.0.20 It just passes the $EXT interface. Next all the filters and blocks from the router out to the internal interface for LAN are valid. I had no rules that packets to port 4661,-2,-5 and -72 can pass the way from router over internal interface to my LAN computer. I thought if the packets are in on $EXT interface, they are in and can go on. But they were not allowed to go anywhere from $EXT. So they've been blocked at $EXT. That was my error. For a pf newbie it is very difficult to find this. Well after many tries, tests and tcpdumps the light was on ;o) I need rules for all ports like this one: pass out on ne0 inet proto udp from any to 192.168.0.20 port = 4665 keep state n8 mk
