From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 08:25:37 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEB041065674 for ; Fri, 28 Nov 2008 08:25:37 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 52FE88FC0A for ; Fri, 28 Nov 2008 08:25:36 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1L5yfL-0006js-4W for freebsd-questions@freebsd.org; Fri, 28 Nov 2008 08:25:31 +0000 Received: from pool-138-88-7-186.res.east.verizon.net ([138.88.7.186]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Nov 2008 08:25:31 +0000 Received: from nightrecon by pool-138-88-7-186.res.east.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Nov 2008 08:25:31 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Fri, 28 Nov 2008 03:23:03 -0500 Lines: 48 Message-ID: References: <492E60A8.6080105@a1poweruser.com> <492F82D1.4020000@bah.homeip.net> <492F8E9B.5040805@a1poweruser.com> <492F95EB.8080308@bah.homeip.net> <492F9B68.8080407@a1poweruser.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-138-88-7-186.res.east.verizon.net Sender: news Subject: Re: pf or ipf rules to allow p2p Limewire through X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nightrecon@verizon.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2008 08:25:37 -0000 Fbsd1 wrote: [snip] > The only way i can run limewire is > to disable my firewall and that does not make me happy. This is simply not true. I have at one time or another run Limewire on each of the three different firewalls. Currently for a little over one year now it has been pf. The difference is just syntax. > I think the conclusion is that all 3 of the freebsd firewalls are unable > to monitor packet exchange of p2p applications. These firewalls were > designed before p2p applications were developed and their (p2p) inherent > design is to defeat standard firewall designs. I really do not understand most of the above paragraph, it makes little sense to me. Non sequitur. The OSI reference stack has 7 layers. These firewalls are simple packet filtering firewalls and only reach Layer 4. The Application layer is Layer 7, and these firewalls do not perform the deep packet inspection or decoding required to filter at Layer 7. As far as reading the docs is concerned it should become apparent that there are 3 modalities for configuring Limewire. In my situation I have a FreeBSD server acting as a gateway with pf and DNS running. The UPnP option is for a typical Windows user who may have a router device that will assist a UPnP service to autoconfigure the Windows box. Proceed to examining the second option, Manual Port Forward. I'll ignore the third as it is "Do Nothing", which is useless. So on the Limewire "Advanced -> Firewall" config page enter a port number, such as 6346 in both the "Listen on Port" and the "Manual Port Forward" boxes. Then after your NAT rule in pf.conf enter something like the following: rdr on $ExtIF proto tcp from any to any port 6346 -> 192.168.10.2 port 6346 and a corresponding filter pass rule: pass in quick on $ExtIF inet proto tcp from any to 192.168.10.2 port 6346 keep state 192.168.10.2 is my desktop machine where I use Limewire. It works just fine. -Mike