From owner-freebsd-ipfw@freebsd.org Sun Dec 20 06:36:38 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F2BFA4D2B2 for ; Sun, 20 Dec 2015 06:36:38 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from homiemail-a80.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by mx1.freebsd.org (Postfix) with ESMTP id EECC013A1 for ; Sun, 20 Dec 2015 06:36:37 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from homiemail-a80.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a80.g.dreamhost.com (Postfix) with ESMTP id CA9CA37A06B for ; Sat, 19 Dec 2015 22:36:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=menhennitt.com.au; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type; s=menhennitt.com.au; bh=BF4jiGVUMgIze 4FotPvDddOZnVU=; b=TFPTIPBbSpBnF0v9IEXrufCj7AWgfaLdpmi9cnQ8CWJBu 7lHgmcUEPtSNPQ3u56dd8i1VjbIeKrmhkeRwfx+K+WoUDtx5AHvrTGa+nbUcES+N VjQ5SDJdCtuFUW1E/ZIHc1go9ScIF9+EHkKZie4H3DxSgVroS7gVEh5bPwEiuo= Received: from [203.2.73.68] (c122-107-214-88.mckinn3.vic.optusnet.com.au [122.107.214.88]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: graham@menhennitt.com.au) by homiemail-a80.g.dreamhost.com (Postfix) with ESMTPSA id 053F337A065 for ; Sat, 19 Dec 2015 22:36:30 -0800 (PST) Subject: Re: connecting a PS4 via IPFW [solved] To: freebsd-ipfw@freebsd.org References: <5655405C.1060301@menhennitt.com.au> From: Graham Menhennitt X-Enigmail-Draft-Status: N1110 Message-ID: <56764C6C.5060606@menhennitt.com.au> Date: Sun, 20 Dec 2015 17:36:28 +1100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5655405C.1060301@menhennitt.com.au> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Dec 2015 06:36:38 -0000 On 25/11/2015 16:00, Graham Menhennitt wrote: > Hello IPFWers, > > I have a box running FreeBSD 10-stable that I use as a > router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging > me about playing multi-player online games on his Sony PS4. > > From what I've read, I could enable UPnP. But I've tried compiling the > net/miniupnpd port but it won't build for IPFW (and I don't want to > convert to PF). > > Giving up on that, I'm now trying to enable port forwarding - > apparently, this will fix it. I've allocated the PS4 a static IP address > on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480, > and UDP ports 3478-3479. I've tried the following command: > > ipfw nat 1 config \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 80 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 443 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479 > > but that completely kills my Internet connection for all other uses (and > the PS4 still doesn't work!). > After Thomas' hint and lots of help from Ian, I now have a working setup. And I believe it's considerably more secure than before. It's basically a modified version of "Simple" from /etc/rc.firewall. Many thanks to both Thomas and Ian. Graham /etc/rc.conf: firewall_enable="YES" firewall_flags="-p m4 -DOUTSIDE_IF=re1 -DLAN_IF=re0 -DLAN_NET=192.168.0.0/25 -DWIFI_IF=re2 -DWIFI_NET=192.168.0.128/26 -DVPN_IF=tap0 -DVPN_NET=192.168.0.192/26 -DPS4_ADDR=192.168.0.235 -DIPV6_IF=gif0" firewall_type="/etc/ipfw.rules" /etc/ipfw.rules: # stop spoofing add deny all from LAN_NET to any in via OUTSIDE_IF add deny all from WIFI_NET to any in via OUTSIDE_IF # allow anything on the LAN add allow all from any to any via LAN_IF # and from the VPN add allow all from any to any via VPN_IF # allow anything from the wireless network to the outside world (but not to the LAN) add allow ip from any to not LAN_NET via WIFI_IF # create a table of addresses to block table 1 flush # add RFC1918 nets table 1 add 10.0.0.0/8 table 1 add 172.16.0.0/12 table 1 add 192.168.0.0/16 # and draft-manning-dsua-03.txt nets table 1 add 0.0.0.0/8 table 1 add 169.254.0.0/16 table 1 add 192.0.2.0/24 table 1 add 224.0.0.0/4 table 1 add 240.0.0.0/4 # stop entries in the table coming in on the outside interface add deny all from table(1) to any in recv OUTSIDE_IF # similarly for IPv6 table 2 flush # Stop unique local unicast address on the outside interface table 2 add fc00::/7 # Stop site-local on the outside interface table 2 add fec0::/10 # Disallow "internal" addresses to appear on the wire. table 2 add ::ffff:0.0.0.0/96 # Disallow packets to malicious IPv4 compatible prefix. #table 2 add ::224.0.0.0/100 gives error "Use IPv4 instead of v4-compatible" #table 2 add ::127.0.0.0/104 ditto table 2 add ::0.0.0.0/104 #table 2 add ::255.0.0.0/104 ditto # table 2 add ::0.0.0.0/96 # Disallow packets to malicious 6to4 prefix. table 2 add 2002:e000::/20 table 2 add 2002:7f00::/24 table 2 add 2002:0000::/24 table 2 add 2002:ff00::/24 # table 2 add 2002:0a00::/24 table 2 add 2002:ac10::/28 table 2 add 2002:c0a8::/32 # table 2 add ff05::/16 # block these addresses both incoming and outgoing add deny all from table(2) to any via IPV6_IF add deny all from any to table(2) via IPV6_IF # allow setup of incoming SSH, IMAPS, and OpenVPN add allow tcp from any to me ssh setup add allow tcp from any to me6 ssh setup add allow tcp from any to me imaps setup add allow tcp from any to me6 imaps setup add allow tcp from any to me openvpn setup add allow tcp from any to me6 openvpn setup add allow udp from any to me openvpn # allow IPP, IMAPS, and SMTP from wireless add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF add allow ip from any to me dst-port ipp setup via WIFI_IF add allow ip from any to me dst-port smtp setup via WIFI_IF add allow ip from any to me dst-port imaps setup via WIFI_IF # allow some ICMP types but nothing else add allow icmp from any to any icmptypes 0,3,8,11 add deny icmp from any to any #add allow ipv6 from any to any # NAT # redirect ports to PS4 nat 1 config if OUTSIDE_IF same_ports redirect_port tcp PS4_ADDR:1935 1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port tcp PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480 redirect_port udp PS4_ADDR:3478 3478 redirect_port udp PS4_ADDR:3479 3479 add nat 1 ip4 from any to any via OUTSIDE_IF # and block the above table again outbound add deny all from table(1) to any out xmit OUTSIDE_IF # allow TCP through if setup succeeded add pass tcp from any to any established # allow IP fragments to pass through add pass all from any to any frag # allow TCP ports needed for PS4 add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF # allow DNS & NTP queries out to the world (and their replies back in) add allow udp from me to any 53 keep-state add allow udp from me to any 123 keep-state # but no other UDP in from outside add deny udp from any to any in via OUTSIDE_IF # and allow any other UDP add allow udp from any to any # reject all setup of incoming connections from the outside add deny tcp from any to any in via OUTSIDE_IF setup # reject all setup of incoming connections from the IPV6 tunnel add deny tcp from any to any in via gif0 setup # reject all setup of incoming connections from the wireless add deny tcp from any to any in via WIFI_IF setup # allow setup of any other TCP connection add pass tcp from any to any setup # Everything else is denied by default, unless the IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file.