# PF - Open Ports are "Closed"



## latesauce (Aug 17, 2010)

Greetings FreeBSD Community,

I have only used FBSD for the past year. The machine I have is a router/firewall that needs port 28060-28080 open to run a Jedi Outcast (JO): Jedi Knight II Dedicated Server. 

I recently discovered how to implement Redirect (Port Forwarding). The ports appear to be "open" and redirected as both Vonage and the Torrent Port that I setup are both display via "pfctl -s state." 

When I run an external port scan from https://www.grc.com/x/ne.dll?bh0ciyl2 or through NMAP, the ports that I try to open all shows as "Closed."

Booting the JO Server I get the error "WARNING: UDP_OpenSocket: bind: WSAEADDRNOTAVAIL" in Windows XP with the Firewall disable. Testing directly from the Cable Modem, the server loads without any trouble. I have eliminated the Switch as the culprit as well. 

Constructive criticism would be greatly appreciated. Please audit my pf config and point me in the right direction. 

--latesauce

Here's most of my pf.conf: 


```
###############
### MACROS  ###
###############

# # # # # Interfaces # # # # #

# External Interface to Cable Modem.
ext_if = "fxp0"

# Internal Interface to Switch.
int_if = "fxp1"

# PF Log Interface.
log_if = "pflog0"

# # # # # Devices # # # # #

cb_lan = "{ 172.16.0.0/27 }"
vonage = "172.16.0.3"
nighthawk0 = "172.16.0.7"
bake0 = "172.16.0.9"

# # # # # Ports # # # # #

tcp_ports = "{ 21, 22, 47, 53, 69, 80, 143, 587, 666 }"
vonage_ports = "{ 21, 69, 2400, 80, 123, 5061 }"
torrent_port = "56164"
jk2_ports = "{ 28060, 28061, 28062, 28063, 28064, 28065, 28066, 28067, 28068, 28069, 28070, 28071, 28072, 28073, 28074, 28075, 28076, 28077, 28078, 28079, 28080 }"

##############
### TABLES ###
##############

# use pfctl -t blocked -T add x.x.x.x
table <blocked>  file "/etc/blocked.table"


#####################
### OPTIONS (Set) ###
#####################

# Drop packets silently by default.
set block-policy drop

# Enable statistics for a specific Interface.
set loginterface $log_if

# Set session timeout in seconds.
set timeout interval 20

# Skip all PF processing on Loopback Interface
set skip on lo0


#####################################
### TRAFFIC NORMALIZATION (Scrub) ###
#####################################

# Enable random IP ID generation.
scrub out on $ext_if random-id

# Prevent fragmented packets evading
scrub in on $ext_if all fragment reassemble


####################################
### TRANSLATION (NAT - Redirect) ###
####################################

# # # # # NAT # # # # #

nat on $ext_if from 172.16.0.0/27 to any -> ($ext_if)

# # # # # Redirect (Port Forward) # # # # #

rdr pass on $ext_if proto { tcp, udp } from any to any port \
   $torrent_port -> $nighthawk0 port $torrent_port
rdr pass on $ext_if proto udp from any to any port 10000:20000 -> \
   $vonage port 10000:20000
rdr pass on $ext_if proto udp from any to any port 28060:28080 -> \
   $bake0 port 28060:28080


########################
### PACKET FILTERING ###
########################

# # # # # BLOCK # # # # #

# Default deny policy for all interfaces.
block in log on $ext_if


# Prevent external hosts from spoofing internal addresses.
antispoof for $ext_if inet


# # # # # PASS # # # # #

# Keep the loopback interface unfiltered.
pass quick on lo0 all

# Pass traffic from Router to Internet.
pass out quick on $ext_if from ($ext_if) to any modulate state

# Pass traffic from LAN to Internet.
pass out quick on $ext_if from ($int_if) to any modulate state

# Pass all traffic to and from the LAN.
pass in on $int_if from $cb_lan
pass out on $int_if to $cb_lan

# Allow all traffic to the Internet.
pass out on $ext_if proto udp all
pass out on $ext_if proto tcp all modulate state

# Allow ICMP everywhere to aid troubleshooting.
pass out inet proto icmp all icmp-type echoreq
pass in inet proto icmp all icmp-type echoreq

# Open DNS Port.
pass in quick on $ext_if proto udp from any to any port 53

# Open Select TCP Ports.
pass in quick on $ext_if proto tcp from any to any port $tcp_ports modulate state

# Open Vonage Ports
pass in quick on $ext_if proto udp from any to any port $vonage_ports

# Open JK2 Ports
pass in quick on $ext_if proto udp from any to any port $jk2_ports

# Allow Torrent Port in.
pass in quick on $ext_if proto tcp from any to any port $torrent_port modulate state
pass in quick on $ext_if proto udp from any to any port $torrent_port
```


----------



## SirDice (Aug 17, 2010)

If you forward a port, the port on the machine you are forwarding to must have something listening on it. Otherwise it will indeed be closed.


----------



## latesauce (Aug 17, 2010)

SirDice said:
			
		

> If you forward a port, the port on the machine you are forwarding to must have something listening on it. Otherwise it will indeed be closed.



Ah. Thanks for the info, that is good to know. How about for other ports, such as TCP, that are not forwarded but set to open and scanned as "closed." Does this apply to those ports as well?

For the gaming server, I don't think it continuously listens to the ports that it is trying to reach, however, every time it loads the following error displays and I know that it is a Firewall issue. 


```
Opening IP socket: x.x.x.x:28070
WARNING: UDP_OpenSocket: bind: WSAEADDRNOTAVAIL
```


----------



## SirDice (Aug 17, 2010)

A port is considered "open" when a SYN is replied with a SYN/ACK. If there's nothing listening the port will respond with a "RST" indicating the port is "closed".

Learn the basics of TCP/IP, you're going to need it if you want to play with firewalls.


----------



## latesauce (Aug 17, 2010)

SirDice said:
			
		

> A port is considered "open" when a SYN is replied with a SYN/ACK. If there's nothing listening the port will respond with a "RST" indicating the port is "closed".
> 
> Learn the basics of TCP/IP, you're going to need it if you want to play with firewalls.



Will do. Thanks again.


----------

