PacketFilter
update as of 3.3:
Note: in previous versions of OpenBSD, the following syntax was supported:
. . . flags S
This is no longer true. A mask must now always be specified.
use
. . . flags S/SAFR
instead. (see http://www.openbsd.org/faq/pf/filter.html)
After reading pangos howto i decided to share some tips for those of us behind OpenBSD's pf/nat firewalls.
/etc/pf.conf:
# assuming ext_if = \"your external network adapter\" [[port]] = \"your [[eDonkey2000]] port (usually 4662)\" [[mldonkey_ext]] = \"you mldonkey udp source sharing (receiving) port (usually 4666)\" [[overnet_port]] = \"as you find in your mldonkey/downloads.ini\"
The port values may be defined like this in pf.conf or in /etc/services
This should go somewhere early on to prevent misconfigured clients using reserved namespace to bother MLdonkey (you should have this even if you're not running MLdonkey). Note that it's usefull to return a closed responce to outgoing connections so that none stays open until they timeout.
# block from/to invalid namespace block in quick on $ext_if inet from no-route to any block return-rst out quick on $ext_if proto tcp from any to no-route block return-icmp out quick on $ext_if proto udp from any to no-route
Asuming free out traffic:
pass out on $ext_if proto udp all keep state pass out on $ext_if proto tcp all modulate state
Or simply for any protocol: pass out all keep state
Add this to open Ports to mldonkey:
# edonkey data pass in on $ext_if proto tcp from any to $ext_if port = [[port]] flags S keep state # mldonkey source propagation pass in on $ext_if proto udp from any to $ext_if port = [[mldonkey_ext]] keep state # overnet data pass in on $ext_if proto tcp from any to $ext_if port = $[[overnet_port]] flags S keep state #overnet search pass in on $ext_if proto udp from any to $ext_if port = $[[overnet_port]]
Note: If, for any reason, you'd like to shut down Overnet, you should remove it's pf entries, because overnet clients seem to have a long memory.
Note: You can also compress this using brackets to something like this:
pass in quick on $ext_if proto { tcp , udp } from any to $ext_if port { $[[port]] , $[[mldonkey_ext]] , $[[overnet_port]] } flags S keep state
I added this recently, for a more cleaner operation (thus this does not adds much more security..) you can make the rule automatically turn itself off when you turn off your MLdonkey client or remove Overnet support by adding \"user != unknown\" to the rule, like this:
pass in quick on $ext_if proto { tcp , udp } from any to $ext_if port { $[[port]], $[[mldonkey_ext]] , $[[overnet_port]] } user != unknown flags S keep state
This simply implies that if no one is listening to the port in question, pf discards the pass rule. You can use \"user = mldonkey_username_or_id\" to be more specific.. Goes even farther in our paranoid OBSD wolrd! :) This can also come in handy on other situations to restrict wich users can listen on wich sockets, wich users can talk to the net on wich sockets..
Now, if your MLdonkey is running at another machine behind the firewall you need to configure nat as well /etc/nat.conf:
# assuming ext_if=\"your external network adapter\" mldonkey_ip=\"mldonkey.machine.ip.number\" [[port]] = \"your [[eDonkey2000]] port (usually 4662)\" [[mldonkey_ext]] = \"you mldonkey udp source sharing (receiving) port (usually 4666)\" [[overnet_port]]=\"as you find in your mldonkey/downloads.ini\" ... # redirect traffic rdr on $ext_if proto tcp from any to $ext_if/32 port [[port]] -> $mldonkey_ip port [[port]] rdr on $ext_if proto udp from any to $ext_if/32 port [[mldonkey_ext]] -> $mldonkey_ip port [[mldonkey_ext]] rdr on $ext_if proto tcp from any to $ext_if/32 port $[[overnet_port]] -> $mldonkey_ip port $[[overnet_port]] rdr on $ext_if proto udp from any to $ext_if/32 port $[[overnet_port]] -> $mldonkey_ip port $[[overnet_port]]
Note that openbsd 3.2 merges nat.conf into pf.conf.
No rights reserved. No liabilities accepted.
See also:
- [
pf&apropos0&sektion0&manpathOpenBSD+Current&archi386&formathtml pf man page] - [onlamp's good introduction to pf/nat]
- [
Forums&fileviewtopic&t748&highlightpf+conf&sid=54b02bb9f8b9e1fafe16dd0defa483a5 Forum: Use state tables or not? (OpenBSD, others welcome ;) )] - [
Forums&fileviewtopic&t503&highlightpf+conf&sid=54b02bb9f8b9e1fafe16dd0defa483a5 Forum: Sticky: ( Firewall ) Which ports are used by MLDonkey ?]
/kokamomi & SSteph ;)