Hello
Port forwarding worked fine for tcp then came the udp case and I just
don't understand why I can't redirect two udp ports (34518 34519) on a
lan computer.
Somebody can show me the light to an correct rdr on udp ?
I'm on a 3.4 generic (!) OpenBSD.
Happy peacefully new year to all.
# Firewall PF - OpenBSD
# V 1.0 2003-12-07
###############
# MACROS
Ext = "tun0"
Int = "rl1"
Loop = "lo0"
IntNet = "192.168.1.0/24"
NoRoute = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3,
255.255.255.255/32 }"
OutServicesTCP = "{ auth, 55555, 8080 }"
OutServicesUDP = "{ ntp, domain, 34518, 34519 }"
################
# OPTIONS
# stats sur tun0
set loginterface tun0
# limite nbr entr�es ds tbl de suivi de connex & normalisation
set limit { states 20000, frags 20000 }
# timeouts assez longs pour les connex suivies
set optimization conservative
# return RST to open ports scan
set block-policy return
IntNet = "192.168.1.0/24"
NoRoute = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3,
255.255.255.255/32 }"
OutServicesTCP = "{ auth }"
OutServicesUDP = "{ ntp, domain, 34518, 34519 }"
################
# OPTIONS
# stats sur tun0
set loginterface tun0
# limite nbr entr�es ds tbl de suivi de connex & normalisation
set limit { states 20000, frags 20000 }
# timeouts assez longs pour les connex suivies
set optimization conservative
# return RST to open ports scan
set block-policy return
###############
# NORMALISATION
scrub in all
# Create two packet queues: one for regular traffic, another for
# high priority: TCP ACKs and packets with ToS 'lowdelay'
altq on $Ext priq bandwidth 125Kb queue { highpri_q, default_q }
queue highpri_q priority 7
queue default_q priority 1 priq(default)
###############
# NAT
nat on $Ext from $IntNet to any -> $Ext
rdr on $Ext proto udp from any to any port 34518:34519 -> 192.168.1.13
port 34518:34519
###############
# FILTRAGE
# Don't bug loopback
pass out quick on $Loop from any to any
pass in quick on $Loop from any to any
antispoof for $Loop
# Don't bother the inside interface either
pass out quick on $Int from any to any
pass in quick on $Int from any to any
block in log on $Ext all
# block out log on $Ext all
# silently drop broadcasts
block in quick on $Ext from any to 255.255.255.255
# block scans nmap + fingerprint tcp/ip
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# block some non routable
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on $Ext inet proto icmp from any to any icmp-type
redir
# ICMP: allow incoming ping and traceroute only
#
pass in quick on $Ext inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $Ext inet proto icmp from any to any
# TCP: OutservicesTCP incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection. ACKs and ToS "lowdelay" are given priority.
#
pass in quick on $Ext inet proto tcp from any to any port
$OutServicesTCP \
flags S/SA modulate state queue (default_q, highpri_q)
pass in quick on $Ext inet proto udp from any to any port
$OutServicesUDP keep s
tate
# pass all outgoing and keep state
pass out quick on $Ext inet proto { tcp, udp, icmp } from any to any
keep state
-------------------------------------------------
# tcpdump -i tun0
tcpdump: listening on tun0
05:31:39.775975 81.185.217.57.59670 > 216.40.247.50.34518: udp 12
05:31:39.777112 81.185.217.57.59670 > 216.40.247.50.34518: udp 12
05:31:39.778054 81.185.217.57.59889 > 216.40.247.50.34519: udp 12
05:31:39.778629 81.185.217.57.59889 > 216.40.247.50.34519: udp 12
05:31:39.926542 216.40.247.50 > 81.185.217.57: icmp: 216.40.247.50 udp
port 34518 unreachable
05:31:39.926921 216.40.247.50 > 81.185.217.57: icmp: 216.40.247.50 udp
port 34518 unreachable
05:31:39.928500 216.40.247.50 > 81.185.217.57: icmp: 216.40.247.50 udp
port 34519 unreachable
05:31:39.931215 216.40.247.50 > 81.185.217.57: icmp: 216.40.247.50 udp
port 34519 unreachable
