Professional Web Applications Themes

ipf, ipnat and Bittorrent - FreeBSD

I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat. But the bittorrent indicator stays yellow which means it isn't set up correctly. Also, I don't get as many connections to peers as I should and download speeds are very poor. My ipnat.rules and ipf.rules files are shown below: ipnat.rules: #Rules for ipnat #This line says to map outbound traffic to your public IP address map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto #bittorrent rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp rdr tun0 ...

  1. #1

    Default ipf, ipnat and Bittorrent

    I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
    But the bittorrent indicator stays yellow which means it isn't set up
    correctly. Also, I don't get as many connections to peers as I should and
    download speeds are very poor. My ipnat.rules and ipf.rules files are shown
    below:



    ipnat.rules:



    #Rules for ipnat



    #This line says to map outbound traffic to your public IP address

    map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto



    #bittorrent

    rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp

    rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp

    rdr tun0 0/32 port 6883 -> 192.168.0.3 port 6883 tcp/udp

    rdr tun0 0/32 port 6884 -> 192.168.0.3 port 6884 tcp/udp

    rdr tun0 0/32 port 6885 -> 192.168.0.3 port 6885 tcp/udp

    rdr tun0 0/32 port 6886 -> 192.168.0.3 port 6886 tcp/udp

    rdr tun0 0/32 port 6887 -> 192.168.0.3 port 6887 tcp/udp

    rdr tun0 0/32 port 6888 -> 192.168.0.3 port 6888 tcp/udp

    rdr tun0 0/32 port 6889 -> 192.168.0.3 port 6889 tcp/udp

    rdr tun0 0/32 port 6890 -> 192.168.0.3 port 6890 tcp/udp











    ipf.rules:



    ################################################## ###################

    #

    # IP packet filtering rules (firewall)

    #



    # If you change this file, run

    # ipf -Fa -f /etc/ipf.rules

    # to update kernel tables



    # All rules are "quick" so go strictly top to bottom



    # Don't bug loopback

    #

    pass out quick on lo0

    pass in quick on lo0



    # Don't bother the inside interface either

    #

    pass out quick on sis0

    pass in quick on sis0



    ################################################## ###################

    #

    # First, we deal with bogus packets.

    #



    # Block any inherently bad packets coming in from the outside world.

    # These include ICMP redirect packets and IP fragments so short the

    # filtering rules won't be able to examine the whole UDP/TCP header.

    #

    block in log quick on tun0 proto icmp from any to any icmp-type redir

    block in log quick on tun0 proto tcp/udp all with short



    # Block any IP spoofing atempts. (Packets "from" non-routable

    # addresses shouldn't be coming in from the outside).

    #

    block in quick on tun0 from 192.168.0.0/16 to any

    block in quick on tun0 from 127.0.0.0/8 to any

    block in quick on tun0 from 172.16.0.0/12 to any

    block in quick on tun0 from 10.0.0.0/8 to any

    block in quick on tun0 from 0.0.0.0/8 to any

    block in quick on tun0 from 169.254.0.0/16 to any

    block in quick on tun0 from 192.0.2.0/24 to any

    block in quick on tun0 from 204.152.64.0/23 to any

    block in quick on tun0 from 224.0.0.0/3 to any

    block in quick on tun0 from 255.255.255.255/32 to any



    # Kill all source-routed packets

    #

    block in quick on tun0 all with opt lsrr

    block in quick on tun0 all with opt ssrr



    # Don't allow non-routable packets to leave our network

    #

    block out quick on tun0 from any to 192.168.0.0/16

    block out quick on tun0 from any to 127.0.0.0/8

    block out quick on tun0 from any to 172.16.0.0/12

    block out quick on tun0 from any to 10.0.0.0/8

    block out quick on tun0 from any to 0.0.0.0/8

    block out quick on tun0 from any to 169.254.0.0/16

    block out quick on tun0 from any to 192.0.2.0/24

    block out quick on tun0 from any to 204.152.64.0/23

    block out quick on tun0 from any to 224.0.0.0/3

    block out quick on tun0 from any to 255.255.255.255/32



    #

    ################################################## ###################





    ################################################## ###################

    #

    # Now the normal filtering rules

    #



    # ICMP: allow incoming ping and traceroute only

    #

    pass in quick on tun0 proto icmp from any to any icmp-type echorep

    pass in quick on tun0 proto icmp from any to any icmp-type echo

    pass in quick on tun0 proto icmp from any to any icmp-type timex

    pass in quick on tun0 proto icmp from any to any icmp-type unreach

    block in log quick on tun0 proto icmp from any to any



    # TCP: Allow various incoming services. Only match

    # SYN packets, and allow the state table to handle the rest of the

    # connection.

    #

    pass in quick on tun0 proto tcp from any to any port = ssh flags S keep
    frags keep state

    pass in quick on tun0 proto tcp from any to any port = http flags S keep
    frags keep state

    pass in quick on tun0 proto tcp from any to any port = 443 flags S keep
    frags keep state

    pass in quick on tun0 proto tcp from any to any port = ftp keep state

    pass in quick on tun0 proto tcp from any to any port = 3306 flags S keep
    frags keep state

    pass in quick on tun0 proto tcp from any to any port 6880 >< 6891 flags S
    keep state

    pass in quick on tun0 proto udp from any to any port 6880 >< 6891 keep state



    # Of course we need to allow packets coming in as replies to our

    # connections so we keep state. Strictly speaking, with packets

    # coming from our network we don't have to only match SYN,

    # and it's rather unlikely that there will be any fragments. But

    # what the hell.

    #

    pass out quick on tun0 proto tcp from any to any flags S keep frags keep
    state

    pass out quick on tun0 proto udp from any to any keep state

    pass out quick on tun0 proto icmp from any to any keep state



    # End of rules. Block everything to all ports, all protocols and return

    # RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the

    # source address of the "port unreachable" message, hence -as-dest

    #

    block return-rst in log quick on tun0 proto tcp from any to any

    block return-icmp-as-dest in log quick on tun0 proto udp from any to any

    block in quick all



    #

    # End of file

    #

    ################################################## ###################

    Paul Guest

  2. #2

    Default Re: ipf, ipnat and Bittorrent

    On Wed, 16 Feb 2005 11:04 pm, Paul wrote:
    > I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
    > But the bittorrent indicator stays yellow which means it isn't set up
    > correctly. Also, I don't get as many connections to peers as I should and
    > download speeds are very poor. My ipnat.rules and ipf.rules files are
    > shown below:
    I use this basic thing in my ppp.conf and it has greatly increased my up//down
    speeds ...never dealt with FW so this is about as much as i can sort of help.

    nat port tcp <IP Address>:6881-6999 6881-6999
    --
    Yours Sincerely
    Shinjii
    [url]http://www.shinji.nq.nu[/url]
    Warren Guest

  3. #3

    Default Re: ipf, ipnat and Bittorrent

    On Wed, 16 Feb 2005 13:04:28 -0000, Paul <paultheharbour.eclipse.co.uk> wrote:
    > I am trying to forward bittorrent ports on FreeBSD 5.3 with ipf and ipnat.
    > But the bittorrent indicator stays yellow which means it isn't set up
    > correctly. Also, I don't get as many connections to peers as I should and
    > download speeds are very poor. My ipnat.rules and ipf.rules files are shown
    > below:
    Took some toying around for me as well to get it running. For
    starters, Azureus is fine with one port only (set in Tools -> Options
    -> Incoming TCP listen port) i use 50505.
    >[...]
    >
    > #bittorrent
    >
    > rdr tun0 0/32 port 6881 -> 192.168.0.3 port 6881 tcp/udp
    >
    > rdr tun0 0/32 port 6882 -> 192.168.0.3 port 6882 tcp/udp
    >
    > rdr tun0 0/32 port 6883 -> 192.168.0.3 port 6883 tcp/udp
    >
    > rdr tun0 0/32 port 6884 -> 192.168.0.3 port 6884 tcp/udp
    >
    > rdr tun0 0/32 port 6885 -> 192.168.0.3 port 6885 tcp/udp
    >
    > rdr tun0 0/32 port 6886 -> 192.168.0.3 port 6886 tcp/udp
    >
    > rdr tun0 0/32 port 6887 -> 192.168.0.3 port 6887 tcp/udp
    >
    > rdr tun0 0/32 port 6888 -> 192.168.0.3 port 6888 tcp/udp
    >
    > rdr tun0 0/32 port 6889 -> 192.168.0.3 port 6889 tcp/udp
    >
    > rdr tun0 0/32 port 6890 -> 192.168.0.3 port 6890 tcp/udp
    The "Any IP on interface" for ipnat seems to be 0/0 instead of 0/32
    and i am not sure if the tcp/udp keyword also works with ipnat. I use:

    rdr xl0 0/0 port 50505 -> 192.168.0.11 port 50505 tcp
    rdr xl0 0/0 port 50505 -> 192.168.0.11 port 50505 udp

    and then in ipf.rules:

    pass in quick on xl0 proto tcp from any to 192.168.0.11 port = 50505
    flags S keep state
    pass in quick on xl0 proto udp from any to 192.168.0.11 port = 50505 keep state

    Regards
    Fabian Anklam Guest

Similar Threads

  1. FreeBSD multi-homed w/ipnat
    By Peter Kieser in forum FreeBSD
    Replies: 2
    Last Post: February 18th, 11:05 AM
  2. New module under development Bittorrent::Tracker
    By Doug Bell in forum PERL Modules
    Replies: 0
    Last Post: February 14th, 08:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139