Re: get bittorrent to work via pf

2005-07-18 Thread Alexander Farber 
Hi,

I use a different approach and instead of hardcoding port 
numbers for mldonkey and BitTorrent run those as a separate 
user on my lil' firewall:

altq on $ext_if priq bandwidth 100Kb queue \
{tcp_ack, ssh_login, other, p2p}

queue tcp_ackpriority 7 priq
queue ssh_login priority 5 priq
queue other priority 3 priq
queue p2p   priority 1 priq(default)

pass out quick on $ext_if proto tcp from $ext_if to any user p2p \
keep state queue(p2p, tcp_ack)
pass in  quick on $ext_if proto tcp from any to $ext_if user p2p \
keep state queue(p2p, tcp_ack)

pass out quick on $ext_if proto tcp from $ext_if to any port ssh \
keep state queue(other, ssh_login)
pass in  quick on $ext_if proto tcp from any to $ext_if port ssh \
keep state queue(other, ssh_login)

pass out on $ext_if proto tcp from $ext_if to any \
keep state queue(other, tcp_ack)
pass in  on $ext_if proto tcp from any to $ext_if \
keep state queue(other, tcp_ack)

This make sure you always have a low id and open port 
(using the language of those sites ;-)

And I run the bittorent client with non-standard ports 
(--minport, --maxport )

Regards
Alex

Re: get bittorrent to work via pf

2005-07-16 Thread Vivek Ayer 
Can I redirect the port to any registered IP address on the subnet? Or
do I have manually add lines of the ip addresses?

 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
 192.168.1.38 port 6881

Change to:

 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
 ($int_if:network) port 6881

Will that clog the port? Or for each host would I have to assign a
different port being redirected from the firewall?

 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
 192.168.1.38 port 6881

 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
 192.168.1.39 port 6882

Thanks guys. Appreciate the help.

Vivek

get bittorrent to work via pf

2005-07-15 Thread Vivek Ayer 
Hi all,

I was wondering if anyone has gotten bit torrent (6881) as well as
icecasting (8000) to work behind his/her openbsd firewall? What would
I need to add in pf.conf? Thanks.

Here is my /etc/pf.conf:

#   $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
ext_if=dc1
int_if=dc0
wir_if=ral0

tcp_services = { 22, 113, 6881, 8000, 2234, 2239 }
icmp_types = echoreq
auth_server = 127.0.0.1 port 8080
table authorized_hosts { 10.0.0.2, 10.0.0.3 }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all
scrub out all

# nat/rdr
nat on $ext_if from $int_if:network - ($ext_if:0)
nat on $ext_if from $wir_if:network - ($ext_if:0)
#rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr on $wir_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr on $wir_if proto tcp from !authorized_hosts to any port www - \
$auth_server
#rdr on $ext_if proto tcp from any to any port 6881 - $int_if
#rdr on $ext_if proto tcp from any to any port 6881 - $wir_if
#rdr on $ext_if proto tcp from any to any port 8000 - $int_if
#rdr on $ext_if proto tcp from any to any port 8000 - $wir_if

# filter rules
block in log all

pass quick on { lo $int_if }
pass quick on { lo $wir_if }
antispoof quick for { lo $int_if }
antispoof quick for { lo $wir_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy flags S/SA keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass in on $wir_if from authorized_hosts to any keep state
pass in on $wir_if proto tcp from !authorized_hosts to $auth_server
pass out on $int_if from any to $int_if:network keep state
pass out on $wir_if from any to authorized_hosts keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

Re: get bittorrent to work via pf

2005-07-15 Thread Melameth, Daniel D. 
I played with BitTorrent for the first time a few weeks ago and I
imagine you'll need to redirect these inbound requests to the specific
host that is running the software.  While I modify the base rule set
with anchors when this is in use, the premise is the same regardless.

meth is the host running BitTorrent and you can ignore the queuing:

$ cat /etc/pf.bt.conf
# Interfaces
ext_if = pppoe0
int_if = wi0

# Hosts
meth = 192.168.x.x

# BitTorrent
rdr on $ext_if inet proto tcp from ! $int_if:network to \
( $ext_if:0 ) port 6881:6889 - $meth
pass in log quick on $ext_if inet proto tcp from ! $int_if:network to \
$meth port 6881:6889 flags S/SA keep state \
queue ( torrent, tcp_ack )

Re: get bittorrent to work via pf

2005-07-15 Thread hellsop 
On Fri, Jul 15, 2005 at 03:53:02PM -0400, Vivek Ayer wrote:
 Hi all,
 
 I was wondering if anyone has gotten bit torrent (6881) as well as
 icecasting (8000) to work behind his/her openbsd firewall? What would
 I need to add in pf.conf? Thanks.

rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 
port 6881

has worked for me. Replace 192.168.1.38 with the address of the machine
you want to allow to play on BT.

-- 
68. I will spare someone who saved my life sometime in the past. This is only
reasonable as it encourages others to do so. However, the offer is good 
one time only. If they want me to spare them again, they'd better save my 
life again.  --Peter Anspach's list of things to do as an Evil Overlord

Re: get bittorrent to work via pf

2005-07-15 Thread Shawn K. Quinn 
On Fri, 2005-07-15 at 15:15 -0500, [EMAIL PROTECTED] wrote:
 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
 192.168.1.38 port 6881
 
 has worked for me. Replace 192.168.1.38 with the address of the
 machine you want to allow to play on BT.

You don't need UDP for BitTorrent, AFAIK.

-- 
Shawn K. Quinn [EMAIL PROTECTED]

Re: get bittorrent to work via pf

2005-07-15 Thread hellsop 
On Fri, Jul 15, 2005 at 04:48:01PM -0500, Shawn K. Quinn wrote:
 On Fri, 2005-07-15 at 15:15 -0500, [EMAIL PROTECTED] wrote:
  rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 -
  192.168.1.38 port 6881
  
  has worked for me. Replace 192.168.1.38 with the address of the
  machine you want to allow to play on BT.
 
 You don't need UDP for BitTorrent, AFAIK.

Possibly it's not necessary, but the client in use at the time
complained of no UDP access and shut up when it was opened... YMMV.

-- 
A way of life that is odd or even erratic but interferes with no rights or
interests of others is not to be condemned because it is different.
-- Chief Justice Warren E. Burger

Re: get bittorrent to work via pf

2005-07-15 Thread Jacob Meuser 
On Fri, Jul 15, 2005 at 03:53:02PM -0400, Vivek Ayer wrote:
 Hi all,
 
 I was wondering if anyone has gotten bit torrent (6881) as well as
 icecasting (8000) to work behind his/her openbsd firewall? What would
 I need to add in pf.conf? Thanks.

while this question was elready answered, noone pointed out that the
BitTorrent package installs a README.OpenBSD that explains this,
and has the pf rules you need, assuming that his/her openbsd
firewall is doing NAT.

it generally pays off to check the files installed by a port/
package, especially if one is called README.OpenBSD.

$ pkg_info -L packagename

to see the installed files.

-- 
[EMAIL PROTECTED]