help to allow bitorrent to work through my IPfilter firewall? - BSD

This is a discussion on help to allow bitorrent to work through my IPfilter firewall? - BSD ; I have these rules - but my bittorrent is not working properly. Plase can you tell me what line to add to allow bittorrent to work? thanks: ----------------------------------------------------------------- ass out quick on rl0 all pass in quick on rl0 all ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: help to allow bitorrent to work through my IPfilter firewall?

  1. help to allow bitorrent to work through my IPfilter firewall?

    I have these rules - but my bittorrent is not working properly. Plase can
    you tell me what line to add to allow bittorrent to work? thanks:

    -----------------------------------------------------------------

    ass out quick on rl0 all
    pass in quick on rl0 all

    ################################################## ###############
    # No restrictions on Loopback Interface
    ################################################## ###############
    pass in quick on lo0 all
    pass out quick on lo0 all

    ################################################## ###############
    # Interface facing Public internet (Outbound Section)
    # Interrogate session start requests originating from behind the
    # firewall on the private network
    # or from this gateway server destine for the public internet.
    ################################################## ###############

    # Allow out access to my ISP's Domain name server.
    pass out quick on rl0 proto tcp from any to 192.168.1.1 port = 53 flags S
    keep state
    pass out quick on rl0 proto udp from any to 192.168.1.1 port = 53 keep
    state
    # Allow out access to my ISP's DHCP server for cable or DSL networks.
    pass out quick on rl0 proto udp from any to 192.168.1.1 port = 67 keep
    state

    # Allow out non-secure standard www function
    pass out quick on rl0 proto tcp from any to any port = 80 flags S keep
    state

    # Allow out secure www function https over TLS SSL
    pass out quick on rl0 proto tcp from any to any port = 443 flags S keep
    state

    # Allow out send & get email function
    pass out quick on rl0 proto tcp from any to any port = 110 flags S keep
    state
    pass out quick on rl0 proto tcp from any to any port = 25 flags S keep
    state

    # Allow out Time
    pass out quick on rl0 proto tcp from any to any port = 37 flags S keep
    state

    # Allow out nntp news
    pass out quick on rl0 proto tcp from any to any port = 119 flags S keep
    state

    # Allow out gateway & LAN users non-secure FTP ( both passive & active
    modes)
    # This function uses the IPNAT built in FTP proxy function coded in
    # the nat rules file to make this single rule function correctly.
    # If you want to use the pkg_add command to install application packages
    # on your gateway system you need this rule.
    pass out quick on rl0 proto tcp from any to any port = 21 flags S keep
    state

    # Allow out secure FTP, Telnet, and SCP
    # This function is using SSH (secure shell)
    pass out quick on rl0 proto tcp from any to any port = 22 flags S keep
    state

    # Allow out non-secure Telnet
    pass out quick on rl0 proto tcp from any to any port = 23 flags S keep
    state

    # Allow out FBSD CVSUP function
    pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep
    state

    # Allow out ping to public Internet
    pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state

    # Allow out whois for LAN PC to public Internet
    pass out quick on rl0 proto tcp from any to any port = 43 flags S keep
    state

    # Block and log only the first occurrence of everything
    # else thats trying to get out.
    # This rule enforces the block all by default logic.
    block out log first quick on rl0 all

    ################################################## ###############
    # Interface facing Public internet (Inbound Section)
    # Interrogate packets originating from the public internet
    # destine for this gateway server or the private network.
    ################################################## ###############

    # Block all inbound traffic from non-routable or reserved address spaces
    block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP
    block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP
    block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP
    block in quick on rl0 from 127.0.0.0/8 to any #loopback
    block in quick on rl0 from 0.0.0.0/8 to any #loopback
    block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config
    block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's
    block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster
    interconnect
    block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast

    ##### Block a bunch of different nasty things. ############
    # That I don’t want to see in the log

    # Block frags
    block in quick on rl0 all with frags

    # Block short tcp packets
    block in quick on rl0 proto tcp all with short

    # block source routed packets
    block in quick on rl0 all with opt lsrr
    block in quick on rl0 all with opt ssrr

    # Block nmap OS fingerprint attempts
    # Log first occurrence of these so I can get their IP address
    block in log first quick on rl0 proto tcp from any to any flags FUP

    # Block anything with special options
    block in quick on rl0 all with ipopts

    # Block public pings
    block in quick on rl0 proto icmp all icmp-type 8

    # Block ident
    block in quick on rl0 proto tcp from any to any port = 113

    # Block all Netbios service. 137=name, 138=datagram, 139=session
    # Netbios is MS/Windows sharing services.
    # Block MS/Windows hosts2 name server requests 81
    block in log first quick on rl0 proto tcp/udp from any to any port = 137
    block in log first quick on rl0 proto tcp/udp from any to any port = 138
    block in log first quick on rl0 proto tcp/udp from any to any port = 139
    block in log first quick on rl0 proto tcp/udp from any to any port = 81

    # Allow traffic in from ISP's DHCP server. This rule must contain
    # the IP address of your ISP’s DHCP server as it’s the only
    # authorized source to send this packet type. Only necessary for
    # cable or DSL configurations. This rule is not needed for
    # ‘user ppp’ type connection to the public internet.
    # This is the same IP address you captured and
    # used in the outbound section.
    pass in quick on rl0 proto udp from 192.168.1.1 to any port = 68 keep
    state


    # Block and log only first occurrence of all remaining traffic
    # coming into the firewall. The logging of only the first
    # occurrence stops an ‘denial of service’ attack targeted
    # at filling up your log file space.
    # This rule enforces the block all by default logic.
    block in log first quick on rl0 all

  2. Re: help to allow bitorrent to work through my IPfilter firewall?

    On Sun, 10 Aug 2008 00:28:34 +0100, NVangogh wrote:

    > I have these rules - but my bittorrent is not working properly. Plase
    > can you tell me what line to add to allow bittorrent to work? thanks:


    If you do a "sockstat -4 -l", you'll see which port(s) your bittorrent
    client is listening on. Then simply allow any incoming traffic to that/
    those port(s).

    Similarly, "sockstat -4 -c" will show all connected ports, including
    outgoing, so you can make sure you're not blocking anything outgoing from
    bittorrent as well. You'll want to temporarily disable your firewall to
    glean any useful information from this, of course.

    Hope this helps. I'm not all that familiar with ipfilter usage. I've
    always just used ipfw, myself.

    --
    PROOF OF GOD #39. ARGUMENT FROM NONBELIEF
    (1) The majority of the world's population are nonbelievers in
    Christianity.
    (2) This is just what Satan intended.
    (3) Therefore, God exists.

  3. Re: help to allow bitorrent to work through my IPfilter firewall?


    thanks - this was helpful.

+ Reply to Thread