ipfilter - port forward question

Darryl Hoar darryl at osborne-ind.com
Fri Aug 8 11:35:35 PDT 2003

it does in fact use udp.  Here is what I have done.

Added to /etc/ipfilter.rules

pass in quick on ep0 proto tcp from any to any port = 31240 keep state

Added to /etc/ipnat.rules

rdr ep0 0/0 port 31240 -> port 31240 udp

first question.
I can reload the ipfilter rules with the 
  ipf -Fa -f /etc/ipfilter.rules

how do I reload the ipnat rules ?

I tried ipnat -F then
ipnat -f /etc/ipnat.rules.

But when I did a ipnat -l  it showed that it
just added the new rdr (so I had two listed).

I rebooted.

External users still couldn't connect.  So, I create a new
ipfilter.rules file with:
  pass in quick on ep0 all keep state
  pass out quick on ep0 all keep state.

reloaded the filewall rules.  Users tried to connect but couldn't.
I looked at the nat table I saw:

map 1256 <- -> 1256 [ 5101]
rdr 31240 <- -> 31240 [ 1131]
<snip out duplicate entries with 1131 changing to different values>

I feel I'm close.  What am I missing/screwing up ?

Freebsd 4.7S

>-----Original Message-----
>From: Mike Maltese [mailto:mike at pcmedx.com]
>Sent: Thursday, August 07, 2003 4:14 PM
>To: freebsd-questions at freebsd.org
>Cc: darryl at osborne-ind.com
>Subject: Re: ipfilter - port forward question
>> map ep0 -> 0/32
>> rdr epo port 31240 -> port 31240 tcp
>Try "rdr ep0 0/0 port 31240 -> port 31240 tcp" in your nat
>rules and try something like "pass in quick on ed0 all keep 
>state/pass out
>quick on ed0 all keep state" in your ipf rules. There's really 
>no need to
>open up the whole machine like this though. Why not "pass in 
>quick on ed0
>proto tcp from any to any port  = 31240 flags S keep state"? 
>One last thing
>that I just thought of...are you sure the game uses TCP? Most 
>games use UDP
>because of the lower overhead.

More information about the freebsd-questions mailing list