From owner-freebsd-questions@FreeBSD.ORG Fri Aug 8 11:35:34 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAE6637B401 for ; Fri, 8 Aug 2003 11:35:34 -0700 (PDT) Received: from mail1.ruraltel.net (mail1.ruraltel.net [24.225.0.34]) by mx1.FreeBSD.org (Postfix) with SMTP id AEC3343F75 for ; Fri, 8 Aug 2003 11:35:33 -0700 (PDT) (envelope-from darryl@osborne-ind.com) Received: (qmail 28414 invoked by uid 204); 8 Aug 2003 18:35:32 -0000 Received: from darryl@osborne-ind.com by mail1.ruraltel.net by uid 201 with qmail-scanner-1.14 (. spamassassin: 2.55. Clear:SA:0(-3.9/5.0):. Processed in 1.671254 secs); 08 Aug 2003 18:35:32 -0000 X-Qmail-Scanner-Mail-From: darryl@osborne-ind.com via mail1.ruraltel.net X-Qmail-Scanner: 1.14 (Clear:SA:0(-3.9/5.0):. Processed in 1.671254 secs) Received: from unknown (HELO darryl) (24.225.31.189) by 0 with SMTP; 8 Aug 2003 18:35:30 -0000 From: "Darryl Hoar" To: "'Mike Maltese'" Date: Fri, 8 Aug 2003 13:37:30 -0500 Message-ID: <004901c35ddc$209379b0$0701a8c0@darryl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <007101c35d28$c6e57f70$f4f0a8c0@pcmedx.com> Importance: Normal X-Spam-Status: No, hits=-3.9 required=5.0 tests=AWL,BAYES_20,IN_REP_TO,QUOTED_EMAIL_TEXT autolearn=ham version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Spam-Report: -3.90 points, 5 required; ---- DoubleCheck Scoring by Rule * -0.4 -- Has a In-Reply-To header * -2.6 -- BODY: Bayesian classifier says spam probability is 20 to 30% [score: 0.2937] * -0.4 -- BODY: Contains what looks like a quoted email text * -0.5 -- AWL: Auto-whitelist adjustment ---- End of Matching Rules X-DCC-Doublecheck-Metrics: spamd2.ruraltel.net 1185; Body=1 Fuz1=1 Fuz2=1 X-Pyzor: Reported 0 times. cc: freebsd-questions@freebsd.org Subject: RE: ipfilter - port forward question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: darryl@osborne-ind.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 18:35:35 -0000 Well, it does in fact use udp. Here is what I have done. Added to /etc/ipfilter.rules pass in quick on ep0 proto tcp from any to any port = 31240 keep state Added to /etc/ipnat.rules rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp first question. I can reload the ipfilter rules with the ipf -Fa -f /etc/ipfilter.rules how do I reload the ipnat rules ? I tried ipnat -F then ipnat -f /etc/ipnat.rules. But when I did a ipnat -l it showed that it just added the new rdr (so I had two listed). I rebooted. External users still couldn't connect. So, I create a new ipfilter.rules file with: pass in quick on ep0 all keep state pass out quick on ep0 all keep state. reloaded the filewall rules. Users tried to connect but couldn't. I looked at the nat table I saw: map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101] rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131] I feel I'm close. What am I missing/screwing up ? thanks, Darryl Freebsd 4.7S >-----Original Message----- >From: Mike Maltese [mailto:mike@pcmedx.com] >Sent: Thursday, August 07, 2003 4:14 PM >To: freebsd-questions@freebsd.org >Cc: darryl@osborne-ind.com >Subject: Re: ipfilter - port forward question > > >> map ep0 192.168.1.0/24 -> 0/32 >> rdr epo 24.225.33.0/32 port 31240 -> 192.168.1.35 port 31240 tcp > >Try "rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 tcp" in your nat >rules and try something like "pass in quick on ed0 all keep >state/pass out >quick on ed0 all keep state" in your ipf rules. There's really >no need to >open up the whole machine like this though. Why not "pass in >quick on ed0 >proto tcp from any to any port = 31240 flags S keep state"? >One last thing >that I just thought of...are you sure the game uses TCP? Most >games use UDP >because of the lower overhead.