Solved PF rules for IRC traffic

Atsuri

Active Member

Reaction score: 24
Messages: 137

Recently I started dabbling with Packet_Filter (PF) to set up my firewall. So far I read a bit in the PF Handbook and our FreeBSD Handbook (chapter on PF). The firewall works fine and the rules seem sane. However, I cannot connect to #freenode with PF enabled.

Does anyone know any pass command setups which would allow exclusively passing of only IRC traffic (all other unwanted traffic being blocked)? Which ports would need to be left open, etc.?

If this has been covered somewhere already, I would be very happy if someone could point me to the correct literature :).
 

jrm@

Daemon
Developer

Reaction score: 491
Messages: 1,215

This depends on what port you use to connect to Freenode servers. All freenode servers listen on ports 6665, 6666, 6667, 6697 (SSL only), 7000 (SSL only), 7070 (SSL only), 8000, 8001 and 8002.

Here is a simple example /etc/pf.conf that block everything out except one IRC port.
Code:
out_tcp_services = "{6697}"
block all
pass out proto tcp to port $out_tcp_services
 
OP
A

Atsuri

Active Member

Reaction score: 24
Messages: 137

I was using HexChat as the GUI front-end and the 6697 port. However, my code line was wrong:
Code:
pass in on $ext_if proto tcp from any to $ext_if port 6697 keep state
I believe the fact that I was trying to capture only the incoming packets was wrong.

Your line in a slightly modified form worked:
Code:
pass out on $ext_if proto tcp to port 6697

Thank you kindly! :)

EDIT:
I think the solution was incomplete as I could only connect to freenode's IRC channels, but didn't receive any packets back.

This finally solved the problem:
Code:
pass on $ext_if proto tcp to port 6697

Without 'in' and 'out' specified, the connection is passed in both directions.

$ext_if is of course an alias for my network interface :).
 

kpa

Beastie's Twin

Reaction score: 1,846
Messages: 6,318

No that's wrong (and slightly dangerous because you're now allowing TCP connections to your external address at port 6697) and the problem must have been somewhere else. PF uses stateful filtering by default unless you specify no state in the rule. This means the reply packets of a connection are automatically caught by the state that was created when the rule was matched the first time.
 
OP
A

Atsuri

Active Member

Reaction score: 24
Messages: 137

No that's wrong (and slightly dangerous because you're now allowing TCP connections to your external address at port 6697) and the problem must have been somewhere else. PF uses stateful filtering by default unless you specify no state in the rule. This means the reply packets of a connection are automatically caught by the state that was created when the rule was matched the first time.

I fixed the offending line and set it back to 'pass out'. It still works as intended. I erred in my prior observation most likely. My bad!

Either way, case closed. The port is properly opened for IRC networks :).

Thank you kpa and jrm for contribution!
 
Top