Date: Mon, 30 Nov 2015 00:27:31 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Graham Menhennitt <graham@menhennitt.com.au> Cc: "=?UTF-8?Q?Thom=c3=a1s_S._Bregolin?=" <thomas5th@gmail.com>, freebsd-ipfw@freebsd.org Subject: Re: connecting a PS4 via IPFW Message-ID: <20151129235037.L63537@sola.nimnet.asn.au> In-Reply-To: <565A4ED9.2080102@menhennitt.com.au> References: <5655405C.1060301@menhennitt.com.au> <20151127180317.GA3661@host> <56592B3D.5070800@menhennitt.com.au> <20151128094753.GA5426@bloo> <565A4ED9.2080102@menhennitt.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 29 Nov 2015 12:03:21 +1100, Graham Menhennitt wrote:
> On 28/11/2015 20:47, Thomás S. Bregolin wrote:
> > Besides the redirect_port option, you still need rules allowing traffic
> > in to those ports. Excuse-me if you've done that already (I have no way
> > of knowing).
> >
> >
> > Sat, Nov 28, 2015 at 03:19:09PM +1100, Graham Menhennitt:
> >> On 28/11/2015 05:03, Thomas wrote:
> >>> Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt:
> >>>> I have a box running FreeBSD 10-stable that I use as a
> >>>> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging
> >>>> me about playing multi-player online games on his Sony PS4.
> >>>>
> >>>> Giving up on that, I'm now trying to enable port forwarding -
> >>>> apparently, this will fix it. I've allocated the PS4 a static IP address
> >>>> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480,
> >>>> and UDP ports 3478-3479. I've tried the following command:
> >>>>
> >>>> ipfw nat 1 config if re1 same_ports \
> >>>> redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \
> >>>> redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \
> >>>> redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \
> >>>> redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \
> >>>> redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \
> >>>> redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479
> >>>>
> >>>>
> Thanks again, Thomas and Ian.
>
> I have attempted to let those ports in, but I'm not really sure what I'm
> doing. My firewall rules are below - could you please have a look. I
> allow almost all UDP and I've added rules for the four relevant TCP
> ports. As Ian suggested, I've removed ports 80 and 443 from the redirects.
>
> Thanks,
> Graham
There are some minor details (eg 'almost all UDP' and icmp) that I'll
mention but not dwell on, until your $subject issue is solved, so this
is just a bit of a first pass; I could miss some significant points :)
> # stop spoofing
> add deny all from LAN_NET to any in via OUTSIDE_IF
> add deny all from WIFI_NET to any in via OUTSIDE_IF
>
> # allow anything on the LAN
> add allow all from any to any via LAN_IF
>
> # and from the VPN
> add allow all from any to any via VPN_IF
>
> # allow anything from the wireless network to here and the outside world
> (but not to the LAN)
> add allow ip from any to me via WIFI_IF
> add allow ip from any to not LAN_NET via WIFI_IF
>
> # create a table of addresses to block
> table 1 flush
> # add RFC1918 nets
> table 1 add 10.0.0.0/8
> table 1 add 172.16.0.0/12
> table 1 add 192.168.0.0/16
> # and draft-manning-dsua-03.txt nets
> table 1 add 0.0.0.0/8
> table 1 add 169.254.0.0/16
> table 1 add 192.0.2.0/24
> table 1 add 224.0.0.0/4
> table 1 add 240.0.0.0/4
> # stop entries in the table on the outside interface
> add deny all from table(1) to any via OUTSIDE_IF
Good idea. You may want to also deny these the reverse way, after NAT
(refer /etc/rc.firewall 'simple' ruleset), which may inform re this.
> # allow setup of incoming SSH, IMAPS, and OpenVPN
> add allow tcp from any to me ssh setup
> add allow tcp from any to me imaps setup
> add allow tcp from any to me openvpn setup
> add allow udp from any to me openvpn
>
> # allow IPP and SMTP from wireless
> add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF
> add allow ip from any to me dst-port ipp setup via WIFI_IF
> add allow ip from any to me dst-port smtp setup via WIFI_IF
>
> # allow ICMP & UDP
> # ..except UPnP discovery
> add deny udp from any to any 1900
> # .. and SIP in from outside
> add deny udp from any to any in via OUTSIDE_IF dst-port 5060-5069
> #add allow igmp from any to any
> add allow icmp from any to any
> add allow udp from any to any
Likely you should work out which UDP you _do_ want to pass, and deny the
rest. Use 'log' on more rules, at least at first, so you can see stuff
happening, to catch eg ports you do want open (DNS, NTP...) or closed.
allow icmp from any to any icmptypes 0,3,8,11
deny icmp from any to any
is safer and generally all you need, and you need 3 and 11 for TCP PMTU
discovery and traceroute. Especially don't allow icmp redirects; you
can block them with a sysctl but it's easier to just drop them outright
along with all the other icmptypes not of interest.
> # Network Address Translation.
> nat 1 config if OUTSIDE_IF same_ports deny_in
What happened to your redirect_ports? You still need these. And I'm not
sure whether deny_in is appropriate here, as you do want to allow fresh
inbound connections to the redirected ports for the PS4. You're already
dealing with unsolicited inbound requests anyway, though tighter UDP
would be reassuring.
natd(8) has a lot deeper discussion of NAT options, almost all of it is
relevant also to kernel NAT, except, as I recall, the proxy_port stuff.
> add nat 1 ip4 from any to any via OUTSIDE_IF
>
> # Allow TCP through if setup succeeded
> add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> add pass all from any to any frag
>
> # allow TCP ports needed for PS4
> add allow tcp from any to any 1935 in via OUTSIDE_IF setup
> add allow tcp from any to any 3478 in via OUTSIDE_IF setup
> add allow tcp from any to any 3479 in via OUTSIDE_IF setup
> add allow tcp from any to any 3480 in via OUTSIDE_IF setup
These would be better more explicitly 'to $PS4_IP' than 'to any'.
> # reject all setup of incoming connections from the outside
> add deny tcp from any to any in via OUTSIDE_IF setup
>
> # reject all setup of incoming connections from the wireless
> add deny tcp from any to any in via WIFI_IF setup
>
> # Allow setup of any other TCP connection
> add pass tcp from any to any setup
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151129235037.L63537>