Hi all,
I'm not sure my port forward in PF is working properly because port scans don't show the port as open. Could someone familiar with PF look at my conf and let me know if it's correct?
I have reviewed the PF documentation and used other samples online for extra help, but I'm just not sure the port forward is working.
Any help is appreciated as I'm pretty new to packet filtering, routing and firewalling like this.
I'm not sure my port forward in PF is working properly because port scans don't show the port as open. Could someone familiar with PF look at my conf and let me know if it's correct?
I have reviewed the PF documentation and used other samples online for extra help, but I'm just not sure the port forward is working.
Any help is appreciated as I'm pretty new to packet filtering, routing and firewalling like this.
Code:
#
## MACROS
#
# Internal and external interfaces (run 'ifconfig' to find interfaces)
int_if = "xl0"
ext_if = "rl0"
# Ports we want to allow access to from the outside world
torrent_port = "{ 39999 }"
icmp_types = "echoreq"
# Networked computers to redirect traffic to
hackedpackard = "192.168.3.84"
# Block incoming traffic from private networks
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#
## GLOBAL OPTIONS
#
set block-policy return
set loginterface $ext_if
# Disbale filtering on loopback
set skip on lo0
#
## TRAFFIC NORMALISATION
#
scrub in all
#
## TRANSLATION RULES (NAT)
#
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# Redirect torrent traffic ("port forwarding")
rdr on $ext_if proto tcp from any to any port $torrent_port -> $hackedpackard
#
## FILTER RULES
#
# Default deny rule
block in
# Allow traffic to leave an interface once it is in
pass out keep state
# Spoofed address protection
antispoof log quick for { lo $int_if }
# Block private network addresses (RFC 1918)
block drop in log (all) quick on $ext_if from $priv_nets to any
block drop out log (all) quick on $ext_if from any to $priv_nets
# As well as the redirect rule to pass torrent traffic to $hackedpackard,
# we also need to pass this traffic through the firewall
# We'll use the TCP SYN Proxy for further protection
pass in on $ext_if inet proto tcp from any to $hackedpackard port \
$torrent_port synproxy state
# Pass ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# Pass traffic to and from the internal network - this could be more
# restrictive!
pass in quick on $int_if