pf or ipf rules to allow p2p Limewire through
What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
On Thu, Nov 27, 2008 at 3:56 AM, Fbsd1 <[EMAIL PROTECTED]> wrote: > What pf or ipf firewall keep-state rules needed to allow p2p application > such as limewire through? Using same firewall rules as in handbook example. Well, what port does limewire use? You need to figure out what port each application uses, then open the port in your firewall rules. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Fbsd1 said the following on 2008-11-27 09:56: What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. Put this in your /etc/ipnat.rules rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# tcp rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# udp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Bernt Hansson wrote: Fbsd1 said the following on 2008-11-27 09:56: What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. Put this in your /etc/ipnat.rules rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# tcp rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# udp How about explaining just why this is going to allow p2p limewire work? I think you are missing the fact that limewire does not use dedicated port numbers. Every session uses different port numbers and the remote computers come in on different hight port numbers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
APseudoUtopia wrote: On Thu, Nov 27, 2008 at 3:56 AM, Fbsd1 <[EMAIL PROTECTED]> wrote: What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. Well, what port does limewire use? You need to figure out what port each application uses, then open the port in your firewall rules. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" I think you are missing the fact that limewire does not use dedicated port numbers. Every session uses different port numbers and the remote computers come in on different hight port numbers. Limewire starts off with a proto igmp multicast packet to the limewire master server where all the other users online computers are listed. Really need someone who has firewall rule for limewire using ipf or pf to share their knowledge. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Fbsd1 said the following on 2008-11-28 07:24: Bernt Hansson wrote: Fbsd1 said the following on 2008-11-27 09:56: What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. Put this in your /etc/ipnat.rules rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# tcp rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# udp How about explaining just why this is going to allow p2p limewire work? Read the handbook on ipfilter. http://coombs.anu.edu.au/~avalon/ I think you are missing the fact that limewire does not use dedicated port numbers. Every session uses different port numbers and the remote computers come in on different hight port numbers. Change port# to port range, then. Or you can skip the firewall. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Bernt Hansson wrote: Fbsd1 said the following on 2008-11-28 07:24: Bernt Hansson wrote: Fbsd1 said the following on 2008-11-27 09:56: What pf or ipf firewall keep-state rules needed to allow p2p application such as limewire through? Using same firewall rules as in handbook example. Put this in your /etc/ipnat.rules rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# tcp rdr rl0 0.0.0.0/0 port port# -> internal-ip port port# udp How about explaining just why this is going to allow p2p limewire work? Read the handbook on ipfilter. http://coombs.anu.edu.au/~avalon/ I think you are missing the fact that limewire does not use dedicated port numbers. Every session uses different port numbers and the remote computers come in on different hight port numbers. Change port# to port range, then. Or you can skip the firewall. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" I checked the ipfilter online handbook and can not find anything about rules for igmp packets, p2p or limewire. I know what a rdr statement does but can not see how it can be applied to a p2p application which does NOT use dedicated port numbers. The only way i can run limewire is to disable my firewall and that does not make me happy. I think the conclusion is that all 3 of the freebsd firewalls are unable to monitor packet exchange of p2p applications. These firewalls were designed before p2p applications were developed and their (p2p) inherent design is to defeat standard firewall designs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Fbsd1 said the following on 2008-11-28 08:19: I checked the ipfilter online handbook and can not find anything about rules for igmp packets, p2p or limewire. I know what a rdr statement does but can not see how it can be applied to a p2p application which does NOT use dedicated port numbers. The only way i can run limewire is to disable my firewall and that does not make me happy. I think the conclusion is that all 3 of the freebsd firewalls are unable to monitor packet exchange of p2p applications. Of course not. Just specify multicast to get throu your firewall. These firewalls were designed before p2p applications were developed and their (p2p) inherent design is to defeat standard firewall designs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Fbsd1 said the following on 2008-11-28 08:19: I checked the ipfilter online handbook and can not find anything about rules for igmp packets, p2p or limewire. I know what a rdr statement does but can not see how it can be applied to a p2p application which does NOT use dedicated port numbers. The only way i can run limewire is to disable my firewall and that does not make me happy. I think the conclusion is that all 3 of the freebsd firewalls are unable to monitor packet exchange of p2p applications. These firewalls were designed before p2p applications were developed and their (p2p) inherent design is to defeat standard firewall designs. http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Fbsd1 wrote: [snip] > The only way i can run limewire is > to disable my firewall and that does not make me happy. This is simply not true. I have at one time or another run Limewire on each of the three different firewalls. Currently for a little over one year now it has been pf. The difference is just syntax. > I think the conclusion is that all 3 of the freebsd firewalls are unable > to monitor packet exchange of p2p applications. These firewalls were > designed before p2p applications were developed and their (p2p) inherent > design is to defeat standard firewall designs. I really do not understand most of the above paragraph, it makes little sense to me. Non sequitur. The OSI reference stack has 7 layers. These firewalls are simple packet filtering firewalls and only reach Layer 4. The Application layer is Layer 7, and these firewalls do not perform the deep packet inspection or decoding required to filter at Layer 7. As far as reading the docs is concerned it should become apparent that there are 3 modalities for configuring Limewire. In my situation I have a FreeBSD server acting as a gateway with pf and DNS running. The UPnP option is for a typical Windows user who may have a router device that will assist a UPnP service to autoconfigure the Windows box. Proceed to examining the second option, Manual Port Forward. I'll ignore the third as it is "Do Nothing", which is useless. So on the Limewire "Advanced -> Firewall" config page enter a port number, such as 6346 in both the "Listen on Port" and the "Manual Port Forward" boxes. Then after your NAT rule in pf.conf enter something like the following: rdr on $ExtIF proto tcp from any to any port 6346 -> 192.168.10.2 port 6346 and a corresponding filter pass rule: pass in quick on $ExtIF inet proto tcp from any to 192.168.10.2 port 6346 keep state 192.168.10.2 is my desktop machine where I use Limewire. It works just fine. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
On Fri, 28 Nov 2008 14:24:27 +0800 Fbsd1 <[EMAIL PROTECTED]> wrote: > How about explaining just why this is going to allow p2p limewire > work? > > I think you are missing the fact that limewire does not use dedicated > port numbers. > Every session uses different port numbers You can presumably set the port number in your limewire configuration. I've not used limewire, but some p2p applications set random ports the first time they are used. I doubt limewire sets it randomly on every session - at least not without a way of overriding that behavior. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
Michael Powell <[EMAIL PROTECTED]> escribió: Fbsd1 wrote: [snip] The only way i can run limewire is to disable my firewall and that does not make me happy. This is simply not true. I have at one time or another run Limewire on each of the three different firewalls. Currently for a little over one year now it has been pf. The difference is just syntax. Why don't you send the rules or as you say "difference in syntax" that are blocking limewire and p2p to the list for two reasons: 1. to quickly find how it is being blocked and remedy your problem. 2. Help an idiot like me block p2p. good luck, ed I think the conclusion is that all 3 of the freebsd firewalls are unable to monitor packet exchange of p2p applications. These firewalls were designed before p2p applications were developed and their (p2p) inherent design is to defeat standard firewall designs. I really do not understand most of the above paragraph, it makes little sense to me. Non sequitur. The OSI reference stack has 7 layers. These firewalls are simple packet filtering firewalls and only reach Layer 4. The Application layer is Layer 7, and these firewalls do not perform the deep packet inspection or decoding required to filter at Layer 7. As far as reading the docs is concerned it should become apparent that there are 3 modalities for configuring Limewire. In my situation I have a FreeBSD server acting as a gateway with pf and DNS running. The UPnP option is for a typical Windows user who may have a router device that will assist a UPnP service to autoconfigure the Windows box. Proceed to examining the second option, Manual Port Forward. I'll ignore the third as it is "Do Nothing", which is useless. So on the Limewire "Advanced -> Firewall" config page enter a port number, such as 6346 in both the "Listen on Port" and the "Manual Port Forward" boxes. Then after your NAT rule in pf.conf enter something like the following: rdr on $ExtIF proto tcp from any to any port 6346 -> 192.168.10.2 port 6346 and a corresponding filter pass rule: pass in quick on $ExtIF inet proto tcp from any to 192.168.10.2 port 6346 keep state 192.168.10.2 is my desktop machine where I use Limewire. It works just fine. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
>> [EMAIL PROTECTED] wrote: So on the Limewire "Advanced -> Firewall" config page enter a port number, such as 6346 in both the "Listen on Port" and the "Manual Port Forward" boxes. Then after your NAT rule in pf.conf enter something like the following: rdr on $ExtIF proto tcp from any to any port 6346 -> 192.168.10.2 port 6346 and a corresponding filter pass rule: in both the "Listen on Port" and the "Manual Port Forward" boxes. 192.168.10.2 is my desktop machine where I use Limewire. It works just fine. Thank you for the solution to this problem. I was un-aware Limewire had it's own firewall configuration options. In Limewire version 4.18 Tools/Options/Advanced/Firewall I entered the same port number in both the "Listen on Port" and the "Manual Port Forward" option fill in boxes. Then in IPF rules added these 2 lines. pass out quick on $oif proto igmp from any to any keep state pass out quick on $oif proto tcp from any to any port = flags S keep state Each XP box on the lan running Limewire gets it's own unique port number and the corresponding firewall rule. No need for NAT RDR rules. Limewire works fine and my firewall is tight as every. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf or ipf rules to allow p2p Limewire through
On Fri, 28 Nov 2008 14:31:14 +0800
Fbsd1 <[EMAIL PROTECTED]> wrote:
> I think you are missing the fact that limewire does not use dedicated
> port numbers. Every session uses different port numbers and the remote
> computers come in on different hight port numbers. Limewire starts off
> with a proto igmp multicast packet to the limewire master server where
> all the other users online computers are listed.
Hi there,
not totally true, it's quite easy. You can configure your client to listen on
1 specific port, disable UPNP, and tell it to advertise itself on the same port
number . Then punch a hole from your firewall device straight to your client
on that port (both tcp + udp) and you'll be connected QUITE well that way. you
may not make it to ultrapeer in every run, but you just may after a while ;).
B
_
{Beto|Norberto|Numard} Meijome
Quantum Logic Chicken:
The chicken is distributed probabalistically on all sides of the
road until you observe it on the side of your course.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
