Bill Marquette wrote:
On 10/23/05, Kevin Wolf <[EMAIL PROTECTED]> wrote:
You can tell the port that I'm getting all the traffic on is not 7700.
This means that the port that I'm sending on through the WAN is not 7700
like it should be according to the rule I made. I even doublechecked
that my IP was typed correctly and the settings in my game were right.
I can only get this game working in 0.89.2 if I use 1:1. I got the game
working with advanced outbound NAT in 0.86.4. The same exact setup in
0.89.2 is not working for me.
Hmmm, I fixed a bug with advanced outbound NAT after 0.86.4. Can you
send me /tmp/rules.debug from a working 0.86.4 and one from a broken
0.89.2 so I can compare and see why it's now not working.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Actually, here's the whole thing if you need it:
# cat /tmp/rules.debug
# System Aliases
lan = "{ xl0 }"
wan = "{ xl1 }"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
# User Aliases
set loginterface xl1
set loginterface xl0
set optimization normal
scrub on xl1 all
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
nat on xl1 from 192.168.1.200/32 to any port 7700 -> (xl1) port 7700
nat on xl1 from 192.168.1.0/24 to any -> (xl1)
#SSH Lockout Table
table <sshlockout> persist
# spam table
table <spamd> persist
# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP proxy
rdr-anchor "pftpx/*"
rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# NAT Inbound Redirects
rdr on xl1 proto udp from any to 68.7.144.105 port { 7700 } ->
192.168.1.200 port 7700
anchor "firewallrules"
# loopback
anchor "loopback"
pass in quick on lo0 all label "pass loopback"
pass out quick on lo0 all label "pass loopback"
# package manager early specific hook
anchor "packageearly"
# carp
anchor "carp"
# enable ftp-proxy
anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl1 inet proto tcp from port 20 to (xl1) port > 49000
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
connection"
# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255
port = 67 label "allow access to DHCP server on LAN"
pass in quick on xl0 proto udp from any port = 68 to 192.168.1.1 port =
67 label "allow access to DHCP server on LAN"
pass out quick on xl0 proto udp from 192.168.1.1 port = 67 to any port =
68 label "allow access to DHCP server on LAN"
# WAN spoof check
anchor "wanspoof"
block in log quick on xl1 from 192.168.1.0/24 to any label "WAN spoof check"
# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor "wandhcp"
pass out quick on xl1 proto udp from any port = 68 to any port = 67
label "allow dhcp client out wan"
block in log quick on xl1 proto udp from any port = 67 to 192.168.1.0/24
port = 68 label "allow dhcp client out wan"
pass in quick on xl1 proto udp from any port = 67 to any port = 68 label
"allow dhcp client out wan"
# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
antispoof for xl0
# block anything from private networks on WAN interface
anchor "spoofing"
block in log quick on xl1 from 10.0.0.0/8 to any label "block private
networks from wan block 10/8"
block in log quick on xl1 from 127.0.0.0/8 to any label "block private
networks from wan block 127/8"
block in log quick on xl1 from 172.16.0.0/12 to any label "block private
networks from wan block 172.16/12"
block in log quick on xl1 from 192.168.0.0/16 to any label "block
private networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table <bogons> persist file "/etc/bogons"
block in log quick on xl1 from <bogons> to any label "block bogon
networks from wan"
# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on xl1 all keep state label "let out anything from
firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on xl1 all keep state label "let out anything from
firewall host itself"
pass out quick on xl0 all keep state label "let out anything from
firewall host itself"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state label
"anti-lockout web rule"
# SSH lockout
block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"
# User-defined rules follow
pass in quick on $wan proto udp from any to { 192.168.1.200 } port =
7700 keep state label "USER_RULE: NAT wolfk-desk gunz"
pass in quick on $lan from 192.168.1.0/24 to any keep state label
"USER_RULE: Default LAN -> any"
# VPN Rules
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."
#
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
