Re: connecting a PS4 via IPFW
On 28/11/2015 20:47, Thomás S. Bregolin wrote:
> Besides the redirect_port option, you still need rules allowing traffic
> in to those ports. Excuse-me if you've done that already (I have no way
> of knowing).
>
>
> Sat, Nov 28, 2015 at 03:19:09PM +1100, Graham Menhennitt:
>> On 28/11/2015 05:03, Thomas wrote:
>>> Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt:
I have a box running FreeBSD 10-stable that I use as a
router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging
me about playing multi-player online games on his Sony PS4.
Giving up on that, I'm now trying to enable port forwarding -
apparently, this will fix it. I've allocated the PS4 a static IP address
on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480,
and UDP ports 3478-3479. I've tried the following command:
ipfw nat 1 config if re1 same_ports \
redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \
redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \
redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \
redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \
redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \
redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479
Thanks again, Thomas and Ian.
I have attempted to let those ports in, but I'm not really sure what I'm
doing. My firewall rules are below - could you please have a look. I
allow almost all UDP and I've added rules for the four relevant TCP
ports. As Ian suggested, I've removed ports 80 and 443 from the redirects.
Thanks,
Graham
# stop spoofing
add deny all from LAN_NET to any in via OUTSIDE_IF
add deny all from WIFI_NET to any in via OUTSIDE_IF
# allow anything on the LAN
add allow all from any to any via LAN_IF
# and from the VPN
add allow all from any to any via VPN_IF
# allow anything from the wireless network to here and the outside world
(but not to the LAN)
add allow ip from any to me via WIFI_IF
add allow ip from any to not LAN_NET via WIFI_IF
# create a table of addresses to block
table 1 flush
# add RFC1918 nets
table 1 add 10.0.0.0/8
table 1 add 172.16.0.0/12
table 1 add 192.168.0.0/16
# and draft-manning-dsua-03.txt nets
table 1 add 0.0.0.0/8
table 1 add 169.254.0.0/16
table 1 add 192.0.2.0/24
table 1 add 224.0.0.0/4
table 1 add 240.0.0.0/4
# stop entries in the table on the outside interface
add deny all from table(1) to any via OUTSIDE_IF
# allow setup of incoming SSH, IMAPS, and OpenVPN
add allow tcp from any to me ssh setup
add allow tcp from any to me imaps setup
add allow tcp from any to me openvpn setup
add allow udp from any to me openvpn
# allow IPP and SMTP from wireless
add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF
add allow ip from any to me dst-port ipp setup via WIFI_IF
add allow ip from any to me dst-port smtp setup via WIFI_IF
# allow ICMP & UDP
# ..except UPnP discovery
add deny udp from any to any 1900
# .. and SIP in from outside
add deny udp from any to any in via OUTSIDE_IF dst-port 5060-5069
#add allow igmp from any to any
add allow icmp from any to any
add allow udp from any to any
# Network Address Translation.
nat 1 config if OUTSIDE_IF same_ports deny_in
add nat 1 ip4 from any to any via OUTSIDE_IF
# Allow TCP through if setup succeeded
add pass tcp from any to any established
# Allow IP fragments to pass through
add pass all from any to any frag
# allow TCP ports needed for PS4
add allow tcp from any to any 1935 in via OUTSIDE_IF setup
add allow tcp from any to any 3478 in via OUTSIDE_IF setup
add allow tcp from any to any 3479 in via OUTSIDE_IF setup
add allow tcp from any to any 3480 in via OUTSIDE_IF setup
# reject all setup of incoming connections from the outside
add deny tcp from any to any in via OUTSIDE_IF setup
# reject all setup of incoming connections from the wireless
add deny tcp from any to any in via WIFI_IF setup
# Allow setup of any other TCP connection
add pass tcp from any to any setup
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Kernel NAT issues
Nathan, I've gone the same way that you have, ie bunch of jails that are individually providing services& kernel Nat. It takes careful planning and the knowledge that the default route will be the first IP in your jail.conf list for each jail. Getting jails to play nice means fiddling around with all interfaces. If you can take ipfw out of the equation until you can see tcpdump traffic doing what you want; the challenge hasn't been ipfw in my experience. (& yes initially I've had three tcpdumps going at once too; along with old friends: raw ip & ping ) Enjoy the fun of getting it to work, it's well worth the effort. (And be thankful that you aren't using pf, another level of complexity but suits my needs perfectly) ;) Dewayne ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: connecting a PS4 via IPFW
On Sat, 28 Nov 2015 15:19:09 +1100, Graham Menhennitt wrote:
> On 28/11/2015 05:03, Thomas wrote:
> > Aren't your regular NAT rules in NAT instance 1? That command will
> > overwrite those and leave just the new ones.
> >
> > If that's the case, you can put those rules in a different NAT instance,
> > or add them to the rest of your NAT rules.
> >
> >
> > Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt:
> >> Hello IPFWers,
> >>
> >> I have a box running FreeBSD 10-stable that I use as a
> >> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging
> >> me about playing multi-player online games on his Sony PS4.
> >>
> >> From what I've read, I could enable UPnP. But I've tried compiling the
> >> net/miniupnpd port but it won't build for IPFW (and I don't want to
> >> convert to PF).
> >>
> >> Giving up on that, I'm now trying to enable port forwarding -
> >> apparently, this will fix it. I've allocated the PS4 a static IP address
> >> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480,
> >> and UDP ports 3478-3479. I've tried the following command:
> >>
> >> ...
> >> but that completely kills my Internet connection for all other uses (and
> >> the PS4 still doesn't work!).
> >>
> Thanks for responding, Thomas. You're right - that's what's killing my
> Internet connection. I've changed the command to:
>
> ipfw nat 1 config if re1 same_ports \
> redirect_port tcp ${PS4_LAN_ADDRESS}:80 80 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:443 443 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479
>
> At least it doesn't kill anything now. But the PS4 still doesn't work.
> When I do "Test internet connection" on it, it says "NAT: Failed".
To add a little to what Thomas has contributed ..
Not knowing what ipfw rules you're running apart from NAT, it should be
rewarding adding 'log' to rules that could block access, and/or adding
'count log' rules to highlight the traffic to/from $PS4_LAN_ADDRESS,
which should illustrate connection problems, NAT or other ipfw issues.
Firstly I'd just run tcpdump on both outside and inside interfaces over
some test sessions. Again, shouldn't take too long to spot the issue/s.
Often these sort of things only want to use port 80 or 443 if they can't
connect on their more favoured ports and/or protocol, perhaps as a last
resort behind some corporate firewalls. Personally I'd only expose 80
or 443 inbound if running host services on them; too many drive-by bots.
Does the PS4 have any setting for favoured protocol/port/s? Perhaps you
can limit it to a smaller range than all the above, fewer being better?
For safety, you should deny and log accesses from the PS4 to unexpected
hosts (including yours) and/or ports, rightly concerned about security -
of which upnp is the antithesis!
> For a DMZ, I need a separate network for the PS4 - is that right? That
> means a separate physical connection (i.e. WAP or cable).
Separate network connection, whether physical or virtual. Testing with
tcpdump is a lot easier to find out how you can limit port forwarding,
to see if it's wild enough to make a DMZ advisable for your use case.
And if PS4 usage becomes too heavy, dummynet becomes your best mate :)
cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Kernel NAT issues
On 27/11/2015 12:55 PM, Nathan Aherne wrote: Hi Julian, Thank you for replying. I was completely off grid for a while and only got back on it today. I thought that Vimage was probably the way to achieve what I want. The main reason I was staying away from Vimage was the reported bugs with it, another reason was the extra overhead. I would like to be able to shutdown jails quite regularly so was worried the kernel panic bug or memory leak bug might be a problem here. Is there any version of Vimage/FreeBSD which is stable? Generally vimage is stable. It has had problems with pf over the years becasue pf is imported from OpenBSD and has some pretty vimage-unfriendly assumptions in its design, but I hear that even some of thise have been ironed out. I know of vimage being used to run production virtual systems in some of the largest banks in the world processing amounts of trnasactions that would make your head spin so have a small play with it. Vimage overhead is negative in some situations. i.e. things work faster.. This is especially true when non vimage workloads contest a single lock heavily, but vimage splits it over many locks.. one for each VM. run up a virtualbox or amazon or whatever freebsd instance and play around with it. once realize how insanely powerful it is, you will wonder how you ever did jails without it. you can use bridges, epairs or netgraph to do your networking... your choice. Regards, Nathan On 23 Nov 2015, at 5:02 pm, Julian Elischer wrote: On 21/11/2015 10:06 AM, Nathan Aherne wrote: I had a bit of a think about how to describe what I am trying to achieve. I am treating each jail likes its own little "virtual machine”. The jail provides certain services, using things like nginx or nodejs, php-fpm, mysql or postgresql. The jails can control connections to themselves by configuring the firewall ports that are opened on the IP their IP (10.0.0.0/16 or a public IP). I know the jails have no firewall of their own, the firewall is configured from the host. I want each jail or “virtual machine” to be able to communicate with one another and the wider internet. When a jail does a DNS query for another App jail, it may get a public IP on its own Host (or it may get another host) and it has no issues being able to communicate with another jail on the same host. At the moment all of the above is working perfectly except for jail to jail communication on the same host (when the communication is not directly between 10.0.0.0/16 IP addresses). this is pretty much exactly when vimage/vnet jails could be used to great affect. Is there a reason you are not doing that? Each jail has it's own routing tables, addresses and (virtual) interfaces. here's how I'd do it with vimage +--+ +---+ | servers | +--+ | | +--+ | ++ | | |+--+ | | ++ +--+--++ | iface | | bridge | |+-+ | ++ ++-+ | | | | | | ++-+ | | | | | NAT jail router| | | | | +---+++---++ ||| | +--+--+ +--+--+ +--+--+ +--+--+ | | | | | | | | | | | | | | | | | | | | | | | |jails | | | | | | | | +-+ +-+ +-+ +-+ however the hairpin idea might still be useful even in that scenario if they don't know about each other's 'local' addresses, but do NAT'd machines need to talk to each other by externeal addresses? i Nathan On 21 Nov 2015, at 9:12 am, Nathan Aherne wrote: I am not exactly sure how to draw the setup so it doesn’t confuse the situation. The setup is extremely simple (I am not running vimage), jails running on the 10.0.0.0/16 (cloned lo1 interface) network or with public IPs. The jails with private IPs are the HTTP app jails. The Host runs a HTTP Proxy (nginx) and forwards traffic to each HTTP App jail based on the URL it receives. The jails with public IPs are things like database jails which cannot be proxied by the Host. I can happily communicate with any jail from my laptop (externally) but when I want one jail to communicate with another jail (fo
Re: connecting a PS4 via IPFW
Hello,
Besides the redirect_port option, you still need rules allowing traffic
in to those ports. Excuse-me if you've done that already (I have no way
of knowing).
I'd suggest forwarding one or all of those ports to another host, and
testing with netcat in order to rule out problems with the PS4
configuration or some other problem upstream in your network. Sniffing
with tcpdump might help. There are "port checkers" out there if you
don't have another external address to test from (like canyouseeme.org).
To do proper DMZ, yes, you'd either use more physical interfaces and
connections, or VLANS. That could be overkill in your situation, unless
you're really keen on having a very secure home network.
Best of luck,
Thomas
Sat, Nov 28, 2015 at 03:19:09PM +1100, Graham Menhennitt:
> On 28/11/2015 05:03, Thomas wrote:
> > Aren't your regular NAT rules in NAT instance 1? That command will
> > overwrite those and leave just the new ones.
> >
> > If that's the case, you can put those rules in a different NAT instance,
> > or add them to the rest of your NAT rules.
> >
> >
> > Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt:
> >> Hello IPFWers,
> >>
> >> I have a box running FreeBSD 10-stable that I use as a
> >> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging
> >> me about playing multi-player online games on his Sony PS4.
> >>
> >> From what I've read, I could enable UPnP. But I've tried compiling the
> >> net/miniupnpd port but it won't build for IPFW (and I don't want to
> >> convert to PF).
> >>
> >> Giving up on that, I'm now trying to enable port forwarding -
> >> apparently, this will fix it. I've allocated the PS4 a static IP address
> >> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480,
> >> and UDP ports 3478-3479. I've tried the following command:
> >>
> >> ...
> >> but that completely kills my Internet connection for all other uses (and
> >> the PS4 still doesn't work!).
> >>
> Thanks for responding, Thomas. You're right - that's what's killing my
> Internet connection. I've changed the command to:
>
> ipfw nat 1 config if re1 same_ports \
> redirect_port tcp ${PS4_LAN_ADDRESS}:80 80 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:443 443 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479
>
> At least it doesn't kill anything now. But the PS4 still doesn't work.
> When I do "Test internet connection" on it, it says "NAT: Failed".
>
> For a DMZ, I need a separate network for the PS4 - is that right? That
> means a separate physical connection (i.e. WAP or cable).
>
> Thanks again,
> Graham
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
