Re: Did I punch a hole through my firewall correctly?

From: ./ToZ (ToZ_at_ToZ.com)
Date: 12/02/03


Date: Tue, 02 Dec 2003 12:08:32 GMT

On Tue, 02 Dec 2003 10:16:49 GMT, Just Another Victim of the Ambient Morality <ihatespam@rogers.com> spat:
> I'm trying to punch a hole through my firewall/NAT in order to
> facilitate bit torrent. I need to redirect connections to ports 6881-6999
> to my windows box, behind the firewall. This is what I have in my pf.conf:
>
> pass in quick on $ext_if proto tcp from any to any port 6880 >< 7000
>
> ...and this is what I have in my nat.conf:
>
> rdr on $ext_if proto tcp from any to any port 6880 >< 7000 -> 172.20.0.6
>
> Is this sufficient? I haven't had much luck with firewall holes. For
> instance, I've tried, as an experiment, doing this:
>
> pass in quick on $ext_if from [very specific IP] to any
>
> ...and then trying to ssh to my firewall from [very specific IP] but
> without success. My firewall intantly refuses the connection. I'm also
> confused about the role of the interface. For instance, I also have, in my
> nat.conf:
>
> binat on $ext_if from 172.20.0.6 to any -> $ext_if
>
> ...but shouldn't it be "binat on $int_if from ..." except that it
> doesn't work if I do that. Why not?
> In addition to all this, it would be nice if I didn't have to reboot
> every time I wanted to test some pf/nat changes. How do I restart my
> internet services without rebooting?
> Thank you, so much, for you help!
>
>
Here are my firewall rules to allow bittorrent for my 3.3 box. I do everything
on the fly by putting these commands in separate files and executing commands
on those files.

###################################################################
# bittorrent passin
#
# enable = pfctl -a passin:bittorrent -f /etc/firewall/bittorrent.passin
# disable = pfctl -a passin:bittorrent -F rules
###################################################################
ext_if = "tun0"
pass in quick on $ext_if inet proto tcp from any to any port 6880><6889 flags S/SAFR keep state

###################################################################
# bittorrent port forward
#
# enable = pfctl -a redirect:bittorrent -f /etc/firewall/bittorrent.redirect
# disable = pfctl -a redirect:bittorrent -F nat
###################################################################
ext_if = "tun0"
rdr on $ext_if proto tcp from any to any port 6881:6889 -> 10.0.0.12 port 6881:*

I usually run bittorrent right on my server and mostly use the passin
file. IIRC, to get the port forward to work, I had to execute the
passin file first (to allow it in), then the port forward file (to forward
the packets to the proper box).

See the pfctl man page for info on how to manipulate the firewall rules
without having to reboot.

./ToZ