[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

migrated from 3.5 to 3.6, same configs but anchors won't work anymore - why?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: migrated from 3.5 to 3.6, same configs but anchors won't work anymore - why?
From: Vincent Immler <v_(_dot_)_immler_(_at_)_12mm_(_dot_)_de>
Date: Fri, 08 Apr 2005 11:43:09 +0200

Hi all!

I just installed OpenBSD 3.6 on my former 3.5 openbsd-router. Everything works fine excepft of those anchors. I though I could use the configs from 3.5 - but this seems not to work. First my pf.conf: ### VARIABLEN ###

Ext = "tun0" # Device an dem das Internet angeschlossen ist Int = "xl0" # Device an dem das interne Netz haengt IntNet = "192.168.0.0/24" # Adressraum des internen Netzes RouterIP = "192.168.0.3" # IP Adresse des Routers Loop = "lo0" # Loopback Device

# Adressen die auf dem externen Device nicht geroutet werden # (Adressbereich des internen Netzes muss man wegen der Weiterleitungen zulassen) table <NoRoute> { 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16, !$IntNet, 10.0.0.0/8, 255.255.255.255/32 }

# Ports die geoeffnet werden sollen
InServicesTCP = "{ auth }"


### OPTIONS ###

# Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
set loginterface $Ext

# Beendet inaktive Verbindungen schneller - geringerer Speicherverbrauch.
set optimization aggressive

# Fragmentierte Pakete saeubern
scrub on $Ext all fragment reassemble random-id

# Queueing
altq on $Ext priq bandwidth 128Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

### NAT & FORWARD ###

# NAT aktivieren (unter Linux als Masquerading bekannt)
nat on $Ext from $IntNet to any -> ($Ext) static-port

rdr-anchor redirect

### FILTER ###

# Zum Debuggen....
#pass quick all             # Alles durchlassen

# Generelle Block Regel
block on $Ext

# Freiwillig machen wir keinen mucks ;)
block return log on $Ext

# Wir wollen kein IPv6.0
block quick inet6

# Loopback Device darf alles
pass quick on $Loop

# Erschwert scannen mit nmap und co.
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext os NMAP

# IP Spoofing verhindern
block in log quick on $Ext inet from <NoRoute> to any
block in log quick on $Ext inet from any to <NoRoute>

# Ping akzeptieren (ablehnen ist uebrigends wenig sinnvoll)
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# Ports nach aussen oeffnen pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state label ServicesTCP

anchor passin

# Raus darf (fast) alles
pass out quick on $Ext keep state queue (q_def,q_pri)
####################################################

ATM I'm connected through this box to the internet, so it works quite fine ... On my 3.5 box I used to add anchors in the following way:

pfctl -a redirect:bittorrent -f /etc/bittorrrent.redirect
pfctl -a passin:bittorrent -f /etc/bittorrent.redirect

and so on ... I have 4 configs (2x bittorrent 2x emule), but both seem not to work anymore, I can't imagine why?

bsdrouter# pfctl -vvs A
 passin
 passin:bittorrent
 passin:emule
 redirect
 redirect:bittorrent
 redirect:emule

They are loaded, but don't work? I tried several tests (the easiest way --> emule built in port test) - all without success. I hope someone can help me, because I just need some new simpsons episodes ... *g*

Thanks for your help in advance!

bittorrent.redirect: Ext = "tun0" # Device an dem das Internet angeschlossen ist BitIP = "192.168.0.2" # IP Adresse des BitTorrent-Clients IntNet = "192.168.0.0/24" # Adressraum des internen Netzes

rdr on $Ext proto tcp from !$IntNet to any port 6969 -> $BitIP port 6969 rdr on $Ext proto tcp from !$IntNet to any port 6881:6889 -> $BitIP port 6881:*

bittorrent.passin: Ext = "tun0" # Device an dem das Internet angeschlossen ist InBitTCP = "{ 6969, 6881:6889 }" # Von Bit Torrent benoetigte Ports

pass in quick on $Ext inet proto tcp from any to any port $InBitTCP flags S/SAFR keep state label BitTCP

emule.redirect:
   Ext = "tun0"            # Device an dem das Internet angeschlossen ist
   MuleIP = "192.168.0.2"  # IP Adresse des Emule Clients
   IntNet = "192.168.0.0/24"      # Adressraum des internen Netzes

rdr on $Ext proto tcp from !$IntNet to any port 4661:4662 -> $MuleIP port 4661:* rdr on $Ext proto udp from !$IntNet to any port 4665 -> $MuleIP port 4665 rdr on $Ext proto udp from !$IntNet to any port 4672 -> $MuleIP port 4672 rdr on $Ext proto tcp from !$IntNet to any port 4711 -> $MuleIP port 4711

emule.passin:
   Ext = "tun0"            # Device an dem das Internet angeschlossen ist
   InMuleTCP = "{ 4661, 4662, 4711 }"
   InMuleUDP = "{ 4665, 4672 }"

pass in quick on $Ext inet proto tcp from any to any port $InMuleTCP flags S/SAFR keep state label eMuleTCP pass in quick on $Ext inet proto udp from any to any port $InMuleUDP keep state label eMuleUDP

Prev by Date: C OpenBSD Programming Learn IDE
Next by Date: Re: Gallery/ImageMagick/NetPBM req'd files in chroot?
Previous by thread: C OpenBSD Programming Learn IDE
Next by thread: Re: Reducing NIC interrupt servicing load
Index(es):
- Date
- Thread

Visit your host, monkey.org