# PF port forwarding question.  Works but seems wrong



## diskman (Dec 31, 2010)

I have a FreeBSD 8.1 box set to NAT the internet to my internal net of 4 assorted computers.

Running uTorrent and I have forwarded the port 40692 via pf.conf and it works great.

However.. ALL the computers on my network are able to use port 40692 now.  Even if I set the IP address of the destination port to 10.10.10.10 in pf.conf it still forwards the port from any PC running utorrent.

Is there a way to set a port to the internal IP implicitly?  So that 40693 goes ONLY to 192.168.5.10  and not all the other 192.169.5.xx IPs?

Here is my current working pf.conf modified from the example file..



```
# Firewall for Home or Small Office
# [url]http://www.openbsd.org/faq/pf/example1.html[/url]
#


# macros
ext_if="fxp0"
int_if="rl0"

icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021


[B]# Redirect torrent traffic ("port forwarding")
rdr on $ext_if proto tcp from any to any port 40692 -> 192.168.5.10
[/B]
# filter rules
block in

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }


[B]pass in on $ext_if inet proto tcp from any to 192.168.5.10 port 40692 synproxy state[/B]

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state
```


----------



## SirDice (Dec 31, 2010)

diskman said:
			
		

> However.. ALL the computers on my network are able to use port 40692 now.


No, they don't. There's a big difference between _outgoing_ and _incoming_ connections. 



> Even if I set the IP address of the destination port to 10.10.10.10 in pf.conf it still forwards the port from any PC running utorrent.


No, it forwards an _incoming_ connection to the specified IP address and port.


----------



## dennylin93 (Dec 31, 2010)

There's a workaround to redirect outgoing connections (using route-to I think). I think I saw an example in the PF FAQ or man page.


----------



## diskman (Jan 1, 2011)

SirDice said:
			
		

> No, they don't. There's a big difference between _outgoing_ and _incoming_ connections.
> 
> 
> No, it forwards an _incoming_ connection to the specified IP address and port.




Hmm.. I can assure you that every PC on my network with port 40692 passes the port checker.

Seems kinda odd from a security standpoint. 

Is there a way to specify a specific IP address to a PC/port?


----------



## diskman (Jan 1, 2011)

diskman said:
			
		

> Hmm.. I can assure you that every PC on my network with port 40692 passes the port checker.





Nevermind.  The problem is with uTorrent...

Lol.


----------

