Date: Wed, 16 Feb 2005 13:04:28 -0000 From: "Paul" <paul@theharbour.eclipse.co.uk> To: <freebsd-questions@freebsd.org> Subject: ipf, ipnat and Bittorrent Message-ID: <E1D1Oqe-0002J8-00@marl.lancs.ac.uk>
next in thread | raw e-mail | index | archive | help
I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat. But the bittorrent indicator stays yellow which means it isn't set up correctly. Also, I don't get as many connections to peers as I should and download speeds are very poor. My ipnat.rules and ipf.rules files are shown below: ipnat.rules: #Rules for ipnat #This line says to map outbound traffic to your public IP address map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto #bittorrent rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp rdr tun0 0/32 port 6883 -> 192.168.0.3 port 6883 tcp/udp rdr tun0 0/32 port 6884 -> 192.168.0.3 port 6884 tcp/udp rdr tun0 0/32 port 6885 -> 192.168.0.3 port 6885 tcp/udp rdr tun0 0/32 port 6886 -> 192.168.0.3 port 6886 tcp/udp rdr tun0 0/32 port 6887 -> 192.168.0.3 port 6887 tcp/udp rdr tun0 0/32 port 6888 -> 192.168.0.3 port 6888 tcp/udp rdr tun0 0/32 port 6889 -> 192.168.0.3 port 6889 tcp/udp rdr tun0 0/32 port 6890 -> 192.168.0.3 port 6890 tcp/udp ipf.rules: ##################################################################### # # IP packet filtering rules (firewall) # # If you change this file, run # ipf -Fa -f /etc/ipf.rules # to update kernel tables # All rules are "quick" so go strictly top to bottom # Don't bug loopback # pass out quick on lo0 pass in quick on lo0 # Don't bother the inside interface either # pass out quick on sis0 pass in quick on sis0 ##################################################################### # # First, we deal with bogus packets. # # Block any inherently bad packets coming in from the outside world. # These include ICMP redirect packets and IP fragments so short the # filtering rules won't be able to examine the whole UDP/TCP header. # block in log quick on tun0 proto icmp from any to any icmp-type redir block in log quick on tun0 proto tcp/udp all with short # Block any IP spoofing atempts. (Packets "from" non-routable # addresses shouldn't be coming in from the outside). # block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 0.0.0.0/8 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 192.0.2.0/24 to any block in quick on tun0 from 204.152.64.0/23 to any block in quick on tun0 from 224.0.0.0/3 to any block in quick on tun0 from 255.255.255.255/32 to any # Kill all source-routed packets # block in quick on tun0 all with opt lsrr block in quick on tun0 all with opt ssrr # Don't allow non-routable packets to leave our network # block out quick on tun0 from any to 192.168.0.0/16 block out quick on tun0 from any to 127.0.0.0/8 block out quick on tun0 from any to 172.16.0.0/12 block out quick on tun0 from any to 10.0.0.0/8 block out quick on tun0 from any to 0.0.0.0/8 block out quick on tun0 from any to 169.254.0.0/16 block out quick on tun0 from any to 192.0.2.0/24 block out quick on tun0 from any to 204.152.64.0/23 block out quick on tun0 from any to 224.0.0.0/3 block out quick on tun0 from any to 255.255.255.255/32 # ##################################################################### ##################################################################### # # Now the normal filtering rules # # ICMP: allow incoming ping and traceroute only # pass in quick on tun0 proto icmp from any to any icmp-type echorep pass in quick on tun0 proto icmp from any to any icmp-type echo pass in quick on tun0 proto icmp from any to any icmp-type timex pass in quick on tun0 proto icmp from any to any icmp-type unreach block in log quick on tun0 proto icmp from any to any # TCP: Allow various incoming services. Only match # SYN packets, and allow the state table to handle the rest of the # connection. # pass in quick on tun0 proto tcp from any to any port = ssh flags S keep frags keep state pass in quick on tun0 proto tcp from any to any port = http flags S keep frags keep state pass in quick on tun0 proto tcp from any to any port = 443 flags S keep frags keep state pass in quick on tun0 proto tcp from any to any port = ftp keep state pass in quick on tun0 proto tcp from any to any port = 3306 flags S keep frags keep state pass in quick on tun0 proto tcp from any to any port 6880 >< 6891 flags S keep state pass in quick on tun0 proto udp from any to any port 6880 >< 6891 keep state # Of course we need to allow packets coming in as replies to our # connections so we keep state. Strictly speaking, with packets # coming from our network we don't have to only match SYN, # and it's rather unlikely that there will be any fragments. But # what the hell. # pass out quick on tun0 proto tcp from any to any flags S keep frags keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state # End of rules. Block everything to all ports, all protocols and return # RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the # source address of the "port unreachable" message, hence -as-dest # block return-rst in log quick on tun0 proto tcp from any to any block return-icmp-as-dest in log quick on tun0 proto udp from any to any block in quick all # # End of file # #####################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1D1Oqe-0002J8-00>