From owner-freebsd-questions@FreeBSD.ORG Tue Mar 10 20:35:14 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CDB9106564A for ; Tue, 10 Mar 2009 20:35:14 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email1.allantgroup.com (email1.emsphone.com [199.67.51.115]) by mx1.freebsd.org (Postfix) with ESMTP id 0062D8FC0A for ; Tue, 10 Mar 2009 20:35:13 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email1.allantgroup.com (8.14.0/8.14.0) with ESMTP id n2AKZAR4020080 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 10 Mar 2009 15:35:11 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id n2AKZ7Vl013483 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 10 Mar 2009 15:35:10 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.3/Submit) id n2AKZ3EV013482; Tue, 10 Mar 2009 15:35:03 -0500 (CDT) (envelope-from dan) Date: Tue, 10 Mar 2009 15:35:03 -0500 From: Dan Nelson To: Roy Stuivenberg Message-ID: <20090310203502.GK3398@dan.emsphone.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 7.1-STABLE User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: ClamAV version 0.94.1, clamav-milter version 0.94.1 on email1.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email1.allantgroup.com [199.67.51.78]); Tue, 10 Mar 2009 15:35:11 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Cc: freebsd-questions@freebsd.org Subject: Re: IPFW torrent X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 20:35:14 -0000 In the last episode (Mar 10), Roy Stuivenberg said: > I can't seem to get my torrent client working, when ipfw is up. > > This rules i use in my script for the torrent client (ktorrent) > > # Sta ktorrent toe naar buiten. > $cmd 00283 allow tcp from any to any 50427 out via $pif setup keep-state > $cmd 00284 allow udp from any to any 50427 out via $pif keep-state > $cmd 00285 allow udp from any to any 50428 out via $pif keep-state > $cmd 00286 allow udp from any to any 50429 out via $pif keep-state These rules apply to outgoing traffic to TCP/50427 and UDP/50427-50429 . Unless you can guarantee that all your peers are listening on those ports, those rules aren't going to do much good. ... Unless you're applying these rules on an intermediate router box, and $pif is your "trusted network" interface, in which case the rules look okay. A good way to troubleshoot firewall problems is to set the sysctl net.inet.ip.fw.verbose=1, add "reset log ip from any to any" rule to the bottom of your list, and run "tail -f /var/log/security" to watch for blocked packets. > In my router these ports are open too. > > I googled about this issue and found this rule .. but It doesn't look safe > to me? Looks like everything is open? > > 520 allow tcp from any to any out keep-state A rule like this is usually applied to the actual machine running ktorrent, so any outgoing traffic (and any replies to that traffic) is allowed. Alternatively, a rule like this could be applied to an intermediate router: allow ip from any to any in via $trusted_interface out via $external_interface keep-state -- Dan Nelson dnelson@allantgroup.com