irc-icq over obsd-gateway

From: David Mayer (curb_at_aon.at)
Date: 09/10/04

  • Next message: mlw: "Re: Linux, BSD, and Unix are fundamentally insecure." 
    Date: Fri, 10 Sep 2004 12:28:27 +0200

    hi group!

    I have a really annoying problem with irc and icq.

    I can chat with irc well but i cant reveive any files sent by dcc ->
    Connection failed (mirc, winxp).
    I set up port 4000-4005 in Connect/options/Advanced in the irc-options
    and passed them through pf.

    I dont know whats wrong with these rules!

    My problem with ICQ is as follows. I can connect, i see online contacts
    but just for about 1 minute!! Then I am disconnected.

    Well, best at the end: I cant even post on newsgroups but nntp is
    enabled. (this post is done in an other way)

    my pf.conf:
    ----------------------------------------------------------------------
    # Definitions
    ext = "ppp0" # External interface
    int = "rl0" # Internal interface
    Loop = "lo0" # Loopback interface
    IntNet= "{ 192.168.5.10, 192.168.5.20, 192.168.5.30, 192.168.5.100 }"

    NoRoute = "{ 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
    255.255.255.255/32 }"

    InServicesTCP = "{ ssh auth }"
    OutServicesTCP = "{ http https smtp pop3 whois domain ssh telnet ftp
    ftp-data nntp auth ntp }"
    OutServicesUDP = "{ ntp domain }"
    ASE = "{ 27243:27245 }"
    csTCP = "{ 27030:27039 }"
    csUDP = "{ 27000:27040, 1200 }"
    ICQ = "{ 5190 6969 }"
    IRC = "{ 6660:6669 59 4000:4005 }"
    nfsUDP = "{ 3658 3659 }"
    nfsTCP = "{ 10900:10999 }"

    set block-policy drop
    set loginterface ppp0

    # Clean up fragmented and abnormal packets
    # By default in pf, packets which contain IP options are blocked. Good.
    scrub in on { $ext $int } all

    # NAT Rules
    nat on $ext from $int:network to any -> ($ext)

    # block and log everything
    block out log on $ext all
    block in log on $ext all
    block return-rst out log on $ext proto tcp all
    block return-rst in log on $ext proto tcp all
    block return-icmp out log on $ext proto udp all
    block return-icmp in log on $ext proto udp all

    block in quick inet6 all
    block out quick inet6 all

    # loopback packets left unmolested
    pass in quick on $Loop all
    pass out quick on $Loop all

    # Immediate blocks
    # fuzz any 'nmap' attempt
    block in log quick on $ext inet proto tcp from any to any flags FUP/FUP
    block in log quick on $ext inet proto tcp from any to any flags SF/SFRA
    block in log quick on $ext inet proto tcp from any to any flags /SFRA

    # don't allow anyone to spoof non-routeable addresses
    block in log quick on $ext from $NoRoute to any
    block out log quick on $ext from any to $NoRoute

    # silently drop broadcasts (cable modem noise)
    block in quick on $ext from any to 255.255.255.255

    # PASS rules
    # ALL -- we don't normally do that. For debugging only.
    #pass out quick on $ext all keep state

    # ICMP
    pass out quick on $ext inet proto icmp all icmp-type 8 code 0 keep state
    pass in log quick on $ext inet proto icmp all icmp-type 8 code 0 keep state

    # Services we provide to the outside world
    #pass in quick on $ext inet proto udp from any to any port
    $InServicesUDP keep state
    pass in quick on $ext inet proto tcp from any to any port $InServicesTCP
    flags S/SA keep state

    # Standard services we want to access in the world
    pass out quick on $ext inet proto udp from any to any port
    $OutServicesUDP keep state
    pass out quick on $ext inet proto tcp from any to any port
    $OutServicesTCP flags S/SA modulate state
    pass out quick on $ext inet proto { tcp udp } from any to any port $ASE
    pass out quick on $ext inet proto tcp from any to any port $csTCP
    pass out quick on $ext inet proto udp from any to any port $csUDP
    pass out quick on $ext inet proto tcp from any to any port $ICQ
    pass out quick on $ext inet proto tcp from any to any port $IRC
    pass out quick on $ext inet proto udp from any to any port $nfsUDP
    pass out quick on $ext inet proto tcp from any to any port $nfsTCP
    ----------------------------------------------------------------------

    If u need further information, just ask!
    I am really in despair and i appreciate any help.
    Regards. 

    -- 
David Mayer
GnuPG public key: http://members.aon.at/curbaxx/pubkey.asc
Fingerprint:	: FCC8 7225 6DE7 AO54 161B DB77 E25B FC38 1CEF A35B
(c u r b) (AT) (a o n) (DOT) (a t)
  • Next message: mlw: "Re: Linux, BSD, and Unix are fundamentally insecure."

    Relevant Pages

    • active ftp
      ... Does anyone have a pf config for active ftp? ... # Redirect lan client FTP requests ... # to the ftp-proxy running on the firewall host (via inetd on port 8021) ... rdr on $int_if inet proto tcp from $int_if:network to any port www -> ...
      (comp.unix.bsd.openbsd.misc)
    • pf and carp
      ... port 4569 ... rdr pass on $ext_ifs proto udp from any to any -> $server ... block out log-all on $ext_if all ... pass out quick log-all on $ext_ifs inet proto tcp from $ext_ifs to any ...
      (freebsd-current)
    • PF configuration problem / lag
      ... queue q_high priority 4 priq ... pass in quick on $ext_if inet proto tcp to port $in_services_tcp flags S/S ... keep state label ServicesTCP ...
      (comp.unix.bsd.openbsd.misc)
    • Re: pf and ftp from gateway
      ... # ephemeral port, so that the remote SIP proxy knows what session we belong ... pass in quick on $ext_if inet proto udp from any port bootps to ... pass out quick on $ext_if inet proto udp from $ext_if to any port bootps ... # allow lan requests from lan clients to exit EXT ...
      (comp.unix.bsd.openbsd.misc)
    • I just installed pf on a new server w/current and nat doesnt seem to work.
      ... My configurations follow. ... pass in on $ext_if inet proto udp from any to port ... pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state ...
      (freebsd-current)