[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems w/ IRC DCCs and p2p on my firewall



I'm running an OpenBSD 3.4 firewall: everything works ok except some
services i.e. sending DCC file send requests (if someone tries to send
me a file via DCC it works without problems, I just can't send) and p2p
inbound connections. Here are my rules:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ext_if = "fxp1"	# replace with actual external interface name i.e., dc0
int_if = "fxp0"	# replace with actual internal interface name i.e., dc1
internal_net = "172.16.1.0/24"
Debian = "172.16.1.10"
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/24, 10.0.0.0/8, 169.254.0.0/16 }
table <rompicoglioni> persist
set loginterface fxp1
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
scrub in all no-df random-id
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 7777 -> $Debian port 7777
rdr on $ext_if proto tcp from any to ($ext_if) port 4662 -> $Debian port 4662
rdr on $ext_if proto udp from any to ($ext_if) port 4672 -> $Debian port 4672
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block in log on $ext_if inet all
block out log on $ext_if inet all
block in log quick on $ext_if from any to { 255.255.255.255, 224.0.0.0/8, 239.0.0.0/8 }
block in log quick on $ext_if proto { 2, 103 } all
block return-rst in quick log inet proto tcp from <rompicoglioni> to any
block return-icmp in quick log inet proto { udp, icmp } from <rompicoglioni> to any
antispoof log quick for $int_if inet
block in log quick on $ext_if inet from <rfc1918> to any
block out log quick on $ext_if inet from any to <rfc1918>
pass quick on lo0 all
pass in quick on $int_if from $internal_net to any keep state
pass out quick on $int_if from any to $internal_net keep state
pass in quick on $ext_if inet proto tcp from any to $Debian port 7777 flags S/SA keep state
pass out quick on $ext_if inet proto tcp from $Debian to any port 7777 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to $Debian port 4662 flags S/SA keep state
pass in quick on $ext_if inet proto udp from any to $Debian port 4672 keep state
pass out quick on $ext_if inet proto tcp from any to any flags S/SA modulate state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49152 >< 65535 modulate state
pass out quick on $ext_if inet proto udp from any to any keep state
pass out quick on $ext_if inet proto icmp from $Debian to any keep state

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

let's talk about DCC first: as you can see I specified to use the
7777/TCP port but even if I specify this port (I tried this in two
different IRC client programs, xchat which has a menu voice about file
transfers to do this while in epic4 I can specify on the command line
the -p <port> parameter) and it seems to always use a random source port
so there's no way to have it working correctly. I tried to sniff using
tcpdump on the pflog0 interface on the destination host and the 7777
port both but nothing seems to pass through it.
The same seems to happen with p2p programs too since I'm always seeing
this kind od stuff in my pflog:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

May 02 09:36:33.227643 rule 0/0(match): block in on fxp1: 213.8.29.12.4662 > 10.0.0.2.25490: R 0:0(0) ack 4195832184 win 0 May 02 09:37:15.786105 rule 0/0(match): block in on fxp1:
213.8.29.12.4662 > 10.0.0.2.25492: R 0:0(0) ack 2858685711 win 0 May 02 09:37:17.105543 rule 0/0(match): block in on fxp1: 213.8.29.12.4662 > 10.0.0.2.25492: R 0:0(0) ack 1 win 0
May 02 09:45:50.628670 rule 7/0(match): block in on fxp1: 82.49.16.21.4661 > 10.0.0.2.25577: S 3776926678:3776926678(0) ack 3714573958 win 65535 <mss 1400,nop,nop,sackOK>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

So, it seems no one can connect to my p2p client, even if I t say I can
see people uploading from me: how could I fix this?

-- 
Pierluigi De Rosa (thorin_(_at_)_durin_(_dot_)_khazad-dum_(_dot_)_net).
<<      LINUX: the choice of a GNU generation     >>
<<   For my real address... ask the Balrog.       >>
* Sostenete la Lega per la Soppressione dei Troll *