Re: get bittorrent to work via pf
Hi, I use a different approach and instead of hardcoding port numbers for mldonkey and BitTorrent run those as a separate user on my lil' firewall: altq on $ext_if priq bandwidth 100Kb queue \ {tcp_ack, ssh_login, other, p2p} queue tcp_ackpriority 7 priq queue ssh_login priority 5 priq queue other priority 3 priq queue p2p priority 1 priq(default) pass out quick on $ext_if proto tcp from $ext_if to any user p2p \ keep state queue(p2p, tcp_ack) pass in quick on $ext_if proto tcp from any to $ext_if user p2p \ keep state queue(p2p, tcp_ack) pass out quick on $ext_if proto tcp from $ext_if to any port ssh \ keep state queue(other, ssh_login) pass in quick on $ext_if proto tcp from any to $ext_if port ssh \ keep state queue(other, ssh_login) pass out on $ext_if proto tcp from $ext_if to any \ keep state queue(other, tcp_ack) pass in on $ext_if proto tcp from any to $ext_if \ keep state queue(other, tcp_ack) This make sure you always have a low id and open port (using the language of those sites ;-) And I run the bittorent client with non-standard ports (--minport, --maxport ) Regards Alex
Re: get bittorrent to work via pf
Can I redirect the port to any registered IP address on the subnet? Or do I have manually add lines of the ip addresses? rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 port 6881 Change to: rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - ($int_if:network) port 6881 Will that clog the port? Or for each host would I have to assign a different port being redirected from the firewall? rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 port 6881 rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.39 port 6882 Thanks guys. Appreciate the help. Vivek
get bittorrent to work via pf
Hi all, I was wondering if anyone has gotten bit torrent (6881) as well as icecasting (8000) to work behind his/her openbsd firewall? What would I need to add in pf.conf? Thanks. Here is my /etc/pf.conf: # $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if=dc1 int_if=dc0 wir_if=ral0 tcp_services = { 22, 113, 6881, 8000, 2234, 2239 } icmp_types = echoreq auth_server = 127.0.0.1 port 8080 table authorized_hosts { 10.0.0.2, 10.0.0.3 } # options set block-policy return set loginterface $ext_if # scrub scrub in all scrub out all # nat/rdr nat on $ext_if from $int_if:network - ($ext_if:0) nat on $ext_if from $wir_if:network - ($ext_if:0) #rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr on $wir_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr on $wir_if proto tcp from !authorized_hosts to any port www - \ $auth_server #rdr on $ext_if proto tcp from any to any port 6881 - $int_if #rdr on $ext_if proto tcp from any to any port 6881 - $wir_if #rdr on $ext_if proto tcp from any to any port 8000 - $int_if #rdr on $ext_if proto tcp from any to any port 8000 - $wir_if # filter rules block in log all pass quick on { lo $int_if } pass quick on { lo $wir_if } antispoof quick for { lo $int_if } antispoof quick for { lo $wir_if } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to ($ext_if) \ user proxy flags S/SA keep state pass inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass in on $wir_if from authorized_hosts to any keep state pass in on $wir_if proto tcp from !authorized_hosts to $auth_server pass out on $int_if from any to $int_if:network keep state pass out on $wir_if from any to authorized_hosts keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
Re: get bittorrent to work via pf
I played with BitTorrent for the first time a few weeks ago and I imagine you'll need to redirect these inbound requests to the specific host that is running the software. While I modify the base rule set with anchors when this is in use, the premise is the same regardless. meth is the host running BitTorrent and you can ignore the queuing: $ cat /etc/pf.bt.conf # Interfaces ext_if = pppoe0 int_if = wi0 # Hosts meth = 192.168.x.x # BitTorrent rdr on $ext_if inet proto tcp from ! $int_if:network to \ ( $ext_if:0 ) port 6881:6889 - $meth pass in log quick on $ext_if inet proto tcp from ! $int_if:network to \ $meth port 6881:6889 flags S/SA keep state \ queue ( torrent, tcp_ack )
Re: get bittorrent to work via pf
On Fri, Jul 15, 2005 at 03:53:02PM -0400, Vivek Ayer wrote: Hi all, I was wondering if anyone has gotten bit torrent (6881) as well as icecasting (8000) to work behind his/her openbsd firewall? What would I need to add in pf.conf? Thanks. rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 port 6881 has worked for me. Replace 192.168.1.38 with the address of the machine you want to allow to play on BT. -- 68. I will spare someone who saved my life sometime in the past. This is only reasonable as it encourages others to do so. However, the offer is good one time only. If they want me to spare them again, they'd better save my life again. --Peter Anspach's list of things to do as an Evil Overlord
Re: get bittorrent to work via pf
On Fri, 2005-07-15 at 15:15 -0500, [EMAIL PROTECTED] wrote: rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 port 6881 has worked for me. Replace 192.168.1.38 with the address of the machine you want to allow to play on BT. You don't need UDP for BitTorrent, AFAIK. -- Shawn K. Quinn [EMAIL PROTECTED]
Re: get bittorrent to work via pf
On Fri, Jul 15, 2005 at 04:48:01PM -0500, Shawn K. Quinn wrote: On Fri, 2005-07-15 at 15:15 -0500, [EMAIL PROTECTED] wrote: rdr on $ext_if proto {tcp, udp} from any to $ext_ip port 6881 - 192.168.1.38 port 6881 has worked for me. Replace 192.168.1.38 with the address of the machine you want to allow to play on BT. You don't need UDP for BitTorrent, AFAIK. Possibly it's not necessary, but the client in use at the time complained of no UDP access and shut up when it was opened... YMMV. -- A way of life that is odd or even erratic but interferes with no rights or interests of others is not to be condemned because it is different. -- Chief Justice Warren E. Burger
Re: get bittorrent to work via pf
On Fri, Jul 15, 2005 at 03:53:02PM -0400, Vivek Ayer wrote: Hi all, I was wondering if anyone has gotten bit torrent (6881) as well as icecasting (8000) to work behind his/her openbsd firewall? What would I need to add in pf.conf? Thanks. while this question was elready answered, noone pointed out that the BitTorrent package installs a README.OpenBSD that explains this, and has the pf rules you need, assuming that his/her openbsd firewall is doing NAT. it generally pays off to check the files installed by a port/ package, especially if one is called README.OpenBSD. $ pkg_info -L packagename to see the installed files. -- [EMAIL PROTECTED]