Re: ipfilter - port forward question
> map ep0 192.168.1.0/24 -> 0/32 > rdr epo 24.225.33.0/32 port 31240 -> 192.168.1.35 port 31240 tcp Try "rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 tcp" in your nat rules and try something like "pass in quick on ed0 all keep state/pass out quick on ed0 all keep state" in your ipf rules. There's really no need to open up the whole machine like this though. Why not "pass in quick on ed0 proto tcp from any to any port = 31240 flags S keep state"? One last thing that I just thought of...are you sure the game uses TCP? Most games use UDP because of the lower overhead. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfilter - port forward question
Well, it does in fact use udp. Here is what I have done. Added to /etc/ipfilter.rules pass in quick on ep0 proto tcp from any to any port = 31240 keep state Added to /etc/ipnat.rules rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp first question. I can reload the ipfilter rules with the ipf -Fa -f /etc/ipfilter.rules how do I reload the ipnat rules ? I tried ipnat -F then ipnat -f /etc/ipnat.rules. But when I did a ipnat -l it showed that it just added the new rdr (so I had two listed). I rebooted. External users still couldn't connect. So, I create a new ipfilter.rules file with: pass in quick on ep0 all keep state pass out quick on ep0 all keep state. reloaded the filewall rules. Users tried to connect but couldn't. I looked at the nat table I saw: map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101] rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131] I feel I'm close. What am I missing/screwing up ? thanks, Darryl Freebsd 4.7S >-Original Message- >From: Mike Maltese [mailto:[EMAIL PROTECTED] >Sent: Thursday, August 07, 2003 4:14 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: ipfilter - port forward question > > >> map ep0 192.168.1.0/24 -> 0/32 >> rdr epo 24.225.33.0/32 port 31240 -> 192.168.1.35 port 31240 tcp > >Try "rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 tcp" in your nat >rules and try something like "pass in quick on ed0 all keep >state/pass out >quick on ed0 all keep state" in your ipf rules. There's really >no need to >open up the whole machine like this though. Why not "pass in >quick on ed0 >proto tcp from any to any port = 31240 flags S keep state"? >One last thing >that I just thought of...are you sure the game uses TCP? Most >games use UDP >because of the lower overhead. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipfilter - port forward question
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of Darryl Hoar > Sent: August 8, 2003 2:38 PM > To: 'Mike Maltese' > Cc: [EMAIL PROTECTED] > Subject: RE: ipfilter - port forward question > > Well, > it does in fact use udp. Here is what I have done. > > Added to /etc/ipfilter.rules > > pass in quick on ep0 proto tcp from any to any port = 31240 keep state you *did* infact mean to say "pass in quick on ep0 proto udp from (etc) > > Added to /etc/ipnat.rules > > rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp This appears to be OK. > > > first question. > I can reload the ipfilter rules with the > ipf -Fa -f /etc/ipfilter.rules you certainly can > > how do I reload the ipnat rules ? > > I tried ipnat -F then > ipnat -f /etc/ipnat.rules. Try ipnat -Cf -f /etc/ipnat.rules > > But when I did a ipnat -l it showed that it > just added the new rdr (so I had two listed). > > I rebooted. > > External users still couldn't connect. So, I create a new > ipfilter.rules file with: > pass in quick on ep0 all keep state > pass out quick on ep0 all keep state. > > reloaded the filewall rules. Users tried to connect but couldn't. > I looked at the nat table I saw: > > map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101] > rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131] > > > > I feel I'm close. What am I missing/screwing up ? > > thanks, > Darryl > Freebsd 4.7S OK, you must be close. I'm not entirely sure why that wouldn't be working using the firewall rules you mentioned after rebooting. I've never forwarded anything other than tcp though for basic stuff like www, smtp etc... so I'm unsure if ipnat is picky about udp traffic. I know that on my ipnat.rules I have this line, unclear though if this would make a difference: map dc0 192.168.0.0/24 -> xx.xx.xx.xx/32 portmap tcp/udp 3:5 I strongly suggest you look at this site... I like to think I'm quite good with ipf/ipnat, and it's solely because of the knowledge of it I got out of the whitepaper located there. www.obfuscation.org/ipf HTH, Sandro ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"