ipf, ipnat and Bittorrent

2005-02-16 Thread Paul 
I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
But the bittorrent indicator stays yellow which means it isn't set up
correctly.  Also, I don't get as many connections to peers as I should and
download speeds are very poor.  My ipnat.rules and ipf.rules files are shown
below:

 

ipnat.rules:

 

#Rules for ipnat

 

#This line says to map outbound traffic to your public IP address

map tun0 192.168.0.0/24 - 0/32 portmap tcp/udp auto

 

#bittorrent

rdr tun0 0/32 port 6881 - 192.168.0.3 port 6881 tcp/udp

rdr tun0 0/32 port 6882 - 192.168.0.3 port 6882 tcp/udp

rdr tun0 0/32 port 6883 - 192.168.0.3 port 6883 tcp/udp

rdr tun0 0/32 port 6884 - 192.168.0.3 port 6884 tcp/udp

rdr tun0 0/32 port 6885 - 192.168.0.3 port 6885 tcp/udp

rdr tun0 0/32 port 6886 - 192.168.0.3 port 6886 tcp/udp

rdr tun0 0/32 port 6887 - 192.168.0.3 port 6887 tcp/udp

rdr tun0 0/32 port 6888 - 192.168.0.3 port 6888 tcp/udp

rdr tun0 0/32 port 6889 - 192.168.0.3 port 6889 tcp/udp

rdr tun0 0/32 port 6890 - 192.168.0.3 port 6890 tcp/udp

 

 

 

 

 

ipf.rules:

 

#

#

# IP packet filtering rules (firewall)

#

 

# If you change this file, run

#ipf -Fa -f /etc/ipf.rules

# to update kernel tables

 

# All rules are quick so go strictly top to bottom

 

#  Don't bug loopback

#

pass out quick on lo0

pass in quick on lo0

 

#  Don't bother the inside interface either

#

pass out quick on sis0

pass in quick on sis0

 

#

#

#  First, we deal with bogus packets.

#

 

#  Block any inherently bad packets coming in from the outside world.

#  These include ICMP redirect packets and IP fragments so short the

#  filtering rules won't be able to examine the whole UDP/TCP header.

#

block in log quick on tun0 proto icmp from any to any icmp-type redir

block in log quick on tun0 proto tcp/udp all with short

 

#  Block any IP spoofing atempts.  (Packets from non-routable

#  addresses shouldn't be coming in from the outside).

#

block in quick on tun0 from 192.168.0.0/16 to any

block in quick on tun0 from 127.0.0.0/8to any

block in quick on tun0 from 172.16.0.0/12  to any

block in quick on tun0 from 10.0.0.0/8 to any

block in quick on tun0 from 0.0.0.0/8  to any

block in quick on tun0 from 169.254.0.0/16 to any

block in quick on tun0 from 192.0.2.0/24   to any

block in quick on tun0 from 204.152.64.0/23 to any

block in quick on tun0 from 224.0.0.0/3to any

block in quick on tun0 from 255.255.255.255/32 to any

 

#  Kill all source-routed packets

#

block in quick on tun0 all with opt lsrr

block in quick on tun0 all with opt ssrr

 

#  Don't allow non-routable packets to leave our network

#

block out quick on tun0 from any to 192.168.0.0/16

block out quick on tun0 from any to 127.0.0.0/8

block out quick on tun0 from any to 172.16.0.0/12

block out quick on tun0 from any to 10.0.0.0/8

block out quick on tun0 from any to 0.0.0.0/8

block out quick on tun0 from any to 169.254.0.0/16

block out quick on tun0 from any to 192.0.2.0/24

block out quick on tun0 from any to 204.152.64.0/23

block out quick on tun0 from any to 224.0.0.0/3

block out quick on tun0 from any to 255.255.255.255/32

 

#

#

 

 

#

#

#  Now the normal filtering rules

#

 

#  ICMP: allow incoming ping and traceroute only

#

pass in quick on tun0 proto icmp from any to any icmp-type echorep

pass in quick on tun0 proto icmp from any to any icmp-type echo

pass in quick on tun0 proto icmp from any to any icmp-type timex

pass in quick on tun0 proto icmp from any to any icmp-type unreach

block in log quick on tun0 proto icmp from any to any

 

#  TCP: Allow various incoming services. Only match

#  SYN packets, and allow the state table to handle the rest of the

#  connection.

#

pass in quick on tun0 proto tcp from any to any port = ssh flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = http flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = 443 flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port = ftp keep state

pass in quick on tun0 proto tcp from any to any port = 3306 flags S keep
frags keep state

pass in quick on tun0 proto tcp from any to any port 6880  6891 flags S
keep state

pass in quick on tun0 proto udp from any to any port 6880  6891 keep state

 

#  Of course we need to allow packets coming in as replies to our

#  connections so we keep state. Strictly speaking, with packets

#  coming from our network we don't have to only match SYN,

#  and it's rather unlikely that there will be any fragments. But

#  what the hell.

#

pass out quick on tun0 proto tcp  from any to any flags S keep frags keep
state

Re: ipf, ipnat and Bittorrent

2005-02-16 Thread Warren 
On Wed, 16 Feb 2005 11:04 pm, Paul wrote:
 I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
 But the bittorrent indicator stays yellow which means it isn't set up
 correctly.  Also, I don't get as many connections to peers as I should and
 download speeds are very poor.  My ipnat.rules and ipf.rules files are
 shown below:

I use this basic thing in my ppp.conf and it has greatly increased my up//down 
speeds ...never dealt with FW so this is about as much as i can sort of help.

nat port tcp IP Address:6881-6999 6881-6999
-- 
Yours Sincerely
Shinjii
http://www.shinji.nq.nu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipf, ipnat and Bittorrent

2005-02-16 Thread Fabian Anklam 
On Wed, 16 Feb 2005 13:04:28 -, Paul [EMAIL PROTECTED] wrote:
 I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
 But the bittorrent indicator stays yellow which means it isn't set up
 correctly.  Also, I don't get as many connections to peers as I should and
 download speeds are very poor.  My ipnat.rules and ipf.rules files are shown
 below:

Took some toying around for me as well to get it running. For
starters, Azureus is fine with one port only (set in Tools - Options
- Incoming TCP listen port) i use 50505.

[...]
 
 #bittorrent
 
 rdr tun0 0/32 port 6881 - 192.168.0.3 port 6881 tcp/udp
 
 rdr tun0 0/32 port 6882 - 192.168.0.3 port 6882 tcp/udp
 
 rdr tun0 0/32 port 6883 - 192.168.0.3 port 6883 tcp/udp
 
 rdr tun0 0/32 port 6884 - 192.168.0.3 port 6884 tcp/udp
 
 rdr tun0 0/32 port 6885 - 192.168.0.3 port 6885 tcp/udp
 
 rdr tun0 0/32 port 6886 - 192.168.0.3 port 6886 tcp/udp
 
 rdr tun0 0/32 port 6887 - 192.168.0.3 port 6887 tcp/udp
 
 rdr tun0 0/32 port 6888 - 192.168.0.3 port 6888 tcp/udp
 
 rdr tun0 0/32 port 6889 - 192.168.0.3 port 6889 tcp/udp
 
 rdr tun0 0/32 port 6890 - 192.168.0.3 port 6890 tcp/udp

The Any IP on interface for ipnat seems to be 0/0 instead of 0/32
and i am not sure if the tcp/udp keyword also works with ipnat. I use:

rdr xl0 0/0 port 50505 - 192.168.0.11 port 50505 tcp
rdr xl0 0/0 port 50505 - 192.168.0.11 port 50505 udp

and then in ipf.rules:

pass in quick on xl0 proto tcp from any to 192.168.0.11 port = 50505
flags S keep state
pass in quick on xl0 proto udp from any to 192.168.0.11 port = 50505 keep state

Regards
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]