# Port forwarding with PF



## v0idE (Feb 12, 2010)

Hi all,

I'm not sure my port forward in PF is working properly because port scans don't show the port as open. Could someone familiar with PF look at my conf and let me know if it's correct?

I have reviewed the PF documentation and used other samples online for extra help, but I'm just not sure the port forward is working.

Any help is appreciated as I'm pretty new to packet filtering, routing and firewalling like this.


```
#
##      MACROS
#
# Internal and external interfaces (run 'ifconfig' to find interfaces)
int_if = "xl0"
ext_if = "rl0"

# Ports we want to allow access to from the outside world
torrent_port = "{ 39999 }"
icmp_types = "echoreq"

# Networked computers to redirect traffic to
hackedpackard = "192.168.3.84"

# Block incoming traffic from private networks
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"


#
##      GLOBAL OPTIONS
#
set block-policy return
set loginterface $ext_if

# Disbale filtering on loopback
set skip on lo0


#
##      TRAFFIC NORMALISATION
#
scrub in all


#
##      TRANSLATION RULES (NAT)
#
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from !($ext_if) to any -> ($ext_if)

# Redirect torrent traffic ("port forwarding")
rdr on $ext_if proto tcp from any to any port $torrent_port -> $hackedpackard


#
##      FILTER RULES
#
# Default deny rule
block in

# Allow traffic to leave an interface once it is in
pass out keep state

# Spoofed address protection
antispoof log quick for { lo $int_if }

# Block private network addresses (RFC 1918)
block drop in log (all) quick on $ext_if from $priv_nets to any
block drop out log (all) quick on $ext_if from any to $priv_nets

# As well as the redirect rule to pass torrent traffic to $hackedpackard,
# we also need to pass this traffic through the firewall
# We'll use the TCP SYN Proxy for further protection
pass in on $ext_if inet proto tcp from any to $hackedpackard port \
        $torrent_port synproxy state

# Pass ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state

# Pass traffic to and from the internal network - this could be more
# restrictive!
pass in quick on $int_if
```


----------



## SirDice (Feb 12, 2010)

If there's nothing running on $hackedpackard:$torrent_port the port is closed.


----------



## v0idE (Feb 12, 2010)

I should have mentioned that my torrent client is always running (unless there's a blackout).
Does the conf file look OK?


----------



## SirDice (Feb 12, 2010)

Looks fine to me.


----------



## v0idE (Feb 12, 2010)

Well that's good to know. I had someone port scan me with nmap and the port didn't show up as open. I did various online port scans and same result. Any ideas what it could be? Do I need to modify the PF conf somehow?

My network is pretty simple: a server with FBSD 8.0 and two NICs, running DHCP, DNS and PF. It connects to a Netgear switch which is where all computers get their network connection from. The computer $hackedpackard is running Archlinux OS with no additional firewalling service.


----------



## SirDice (Feb 12, 2010)

It's relatively easy to troubleshoot. Just run a tcpdump on your external interface and one on the internal one. The external tcpdump will show you that the packets actually arrive. The internal one will show if the redirect works.


----------



## DutchDaemon (Feb 12, 2010)

I don't see a pass out rule on $int_if, I think? Try this:


```
rdr pass on $ext_if inet proto tcp from any to $ext_if port $torrent_port -> $hackedpackard
pass out quick on $int_if inet proto tcp from any to $hackedpackard port $torrent_port keep state flags S/SA
```


----------

