open port 411 internet to lan pc

[Janne Rockstedt]

Hi all!   I wan't to open port 411 from the internet to a lan pc. I think that ipnat is work ok but my fw is blocking. Any sugestion for the problem?   //Jan   uname = FreeBSD 6.0-RELEASE-p4   # ipnat -l List of active MAP/Redirect filters: map xl0 192.168.1.0/24 -> 0.0.0.0/32 rdr xl0 0.0.0.0/0 port 466 -> 192.168.1.52 port 466 tcp/udp   List of active sessions: RDR 192.168.1.52    411   <- -> 217.210.57.236  411   [84.217.65.221 62373] RDR 192.168.1.52    411   <- -> 217.210.57.236  411   [213.65.160.198 3351] RDR 192.168.1.52    411   <- -> 217.210.57.236  411   [80.98.62.116 63637] #more ipnat.rules ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on xl0 proto tcp from any to any port = 21 keep state # pass out quick on xl0 proto tcp from any to any port = 110 keep state # pass out quick on xl0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network #----------------------------------------------------------------   # Allow out access to my ISP's Domain name server. # xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file # pass out quick on dc0 proto tcp from any to 195.67.199.39 port = 53 flags S keep state # pass out quick on dc0 proto udp from any to 195.67.199.40 port = 53 keep state pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all pass in on xl0 proto tcp/udp from any to 192.168.1.52/32 port = 411 keep state pass out quick on tun0 proto tcp from any to any keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state pass in quick on tun0 proto tcp from any to any keep state pass in quick on tun0 proto udp from any to any keep state pass in quick on tun0 proto icmp from any to any keep state     #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- # pass in quick on xl0 proto udp from X.X.X.X/32 to any port = 68 keep state #---------------------------------------------------------------- # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Internet to externally SSH into your firewall, you'd want to # uncomment the following lines and modify as appropriate. If you # have other services running that you need to allow external access # to, just add more lines using these as examples. # # If the services are on a box on your internal network (rather than # the firewall itself), you'll have to add both the filter listed below, # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state keep frags # pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state keep frags pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state keep frags pass in quick on xl0 proto tcp from any to any port = 20 flags S keep state keep frags pass in quick on xl0 proto tcp from any to any port = 21 flags S keep state keep frags   #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick on xl0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all