pf or ipf rules to allow p2p Limewire through

Michael Powell nightrecon at
Fri Nov 28 00:25:37 PST 2008

Fbsd1 wrote:
> The only way i can run limewire is
> to disable my firewall and that does not make me happy.

This is simply not true. I have at one time or another run Limewire on
each of the three different firewalls. Currently for a little over
one year now it has been pf. The difference is just syntax.

> I think the conclusion is that all 3 of the freebsd firewalls are unable
> to monitor packet exchange of p2p applications. These firewalls were
> designed before p2p applications were developed and their (p2p) inherent
> design is to defeat standard firewall designs.

I really do not understand most of the above paragraph, it makes little
sense to me. Non sequitur.

The OSI reference stack has 7 layers. These firewalls are simple packet
filtering firewalls and only reach Layer 4. The Application layer is
Layer 7, and these firewalls do not perform the deep packet inspection
or decoding required to filter at Layer 7.

As far as reading the docs is concerned it should become apparent that
there are 3 modalities for configuring Limewire. In my situation I have
a FreeBSD server acting as a gateway with pf and DNS running. The UPnP
option is for a typical Windows user who may have a router device that
will assist a UPnP service to autoconfigure the Windows box. Proceed to
examining the second option, Manual Port Forward. I'll ignore the third
as it is "Do Nothing", which is useless.

So on the Limewire "Advanced -> Firewall" config page enter a port 
number, such as 6346 in both the "Listen on Port" and the "Manual Port
Forward" boxes.

Then after your NAT rule in pf.conf enter something like the following:

rdr on $ExtIF proto tcp from any to any port 6346 -> port 6346

and a corresponding filter pass rule:

pass in quick on $ExtIF inet proto tcp from any to port 6346 keep state is my desktop machine where I use Limewire. It works just fine.


More information about the freebsd-questions mailing list