Em Mon, 22 Sep 2025 15:39:46 -0000 (UTC), [email protected] (Michael van Elst) escreveu:
| [email protected] (Luis Mendes) writes: | | >Hi, | | >## Issue nr 1 | >I was expecting to have several ports open in my SOHO router/firewall, but = | >a scan from an outside host showed only port 11110 to be opened: | | A port list works for me. I'm using lists and ranges. Hello Michael, Thank you for your help. Maybe I didn't explained correctly. What I meant is that albeit I had several ports that should be open, by the rules, only one as detected by a massive scan. The "should be" is in my understanding only. | | | >## Issue nr 2 | | >I need to open ports 500 and 4500 on udp, and also proto 50 to a corporate = | >laptop do connect to Forticlient vpn server. | >In OpenBSD's pf, that was accomplished with these rules: | >pass in on re0 inet proto udp from any port =3D 500 to 192.168.1.12 | >pass in on re0 inet proto udp from any port =3D 4500 to 192.168.1.12 | >pass in on re0 inet proto esp from any to 192.168.1.12 | | | You need to have stateless rules for both directions. Mixing | a stateless 'in' with a stateful 'out' can have problems. | The stateless rules (with final) should then also come before | all stateful rules. | | E.g. this is for regular IPSec: | | # allow known IPSEC traffic | pass out final proto udp from $ext_v4 \ | port isakmp to $ipsec_peers port isakmp | pass in final proto udp from $ipsec_peers \ | port isakmp to $ext_v4 port isakmp | pass out final proto esp from $ext_v4 to $ipsec_peers | pass in final proto esp from $ipsec_peers to $ext_v4 Regarding the $ipsec_peers, I don't have that information. Maybe have to use 'any'. I'll try this and get back to you. Thank you, Luís Mendes
