Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Aug 2003 13:37:30 -0500
From:      "Darryl Hoar" <darryl@osborne-ind.com>
To:        "'Mike Maltese'" <mike@pcmedx.com>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: ipfilter - port forward question
Message-ID:  <004901c35ddc$209379b0$0701a8c0@darryl>
In-Reply-To: <007101c35d28$c6e57f70$f4f0a8c0@pcmedx.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Well,
it does in fact use udp.  Here is what I have done.

Added to /etc/ipfilter.rules

pass in quick on ep0 proto tcp from any to any port = 31240 keep state

Added to /etc/ipnat.rules

rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp


first question.
I can reload the ipfilter rules with the 
  ipf -Fa -f /etc/ipfilter.rules

how do I reload the ipnat rules ?

I tried ipnat -F then
ipnat -f /etc/ipnat.rules.

But when I did a ipnat -l  it showed that it
just added the new rdr (so I had two listed).

I rebooted.

External users still couldn't connect.  So, I create a new
ipfilter.rules file with:
  pass in quick on ep0 all keep state
  pass out quick on ep0 all keep state.

reloaded the filewall rules.  Users tried to connect but couldn't.
I looked at the nat table I saw:

map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101]
rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131]
<snip out duplicate entries with 1131 changing to different values>


I feel I'm close.  What am I missing/screwing up ?

thanks,
Darryl
Freebsd 4.7S

>-----Original Message-----
>From: Mike Maltese [mailto:mike@pcmedx.com]
>Sent: Thursday, August 07, 2003 4:14 PM
>To: freebsd-questions@freebsd.org
>Cc: darryl@osborne-ind.com
>Subject: Re: ipfilter - port forward question
>
>
>> map ep0 192.168.1.0/24 -> 0/32
>> rdr epo 24.225.33.0/32 port 31240 -> 192.168.1.35 port 31240 tcp
>
>Try "rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 tcp" in your nat
>rules and try something like "pass in quick on ed0 all keep 
>state/pass out
>quick on ed0 all keep state" in your ipf rules. There's really 
>no need to
>open up the whole machine like this though. Why not "pass in 
>quick on ed0
>proto tcp from any to any port  = 31240 flags S keep state"? 
>One last thing
>that I just thought of...are you sure the game uses TCP? Most 
>games use UDP
>because of the lower overhead.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004901c35ddc$209379b0$0701a8c0>