# Forward a Port through pf



## Ruler2112 (Feb 23, 2010)

OK, I know that I must be missing something simple again.  (Like the last thread I posted when I had trouble - 3-4 pages and several hours later, I discovered I'd mis-typed an IP address.  )  I'm guessing that something like this is happening here, but I've checked all the addresses and port numbers several times.  I also tried removing all the variables and hard-coding the interfaces, but to no avail.

Basically, I want to forward a port through my firewall to a machine behind the NAT.

According to the pf documentation I found, the following should cause the firewall to allow somebody to connect to port 50000 on the FreeBSD box and behave as if you're connecting to port 80 on 192.168.100.20 behind the NAT.  nfe0 is my external interface and rl0 is the internal.


```
rdr on nfe0 proto tcp from any to any port 50000 -> 192.168.100.20 port 80
```

When connecting to port 80 of 192.168.100.20 from the FreeBSD box, I can fetch html normally.  Connecting to port 50000 of the FreeBSD box results in an immediate connection refused error.


I've even added the following, but since nothing is listening on port 50000, the connection just times out.


```
pass in on nfe0 inet proto tcp from any to any port 50000 flags S/SA keep state
```

Any ideas?


----------



## honk (Feb 23, 2010)

If you have the rdr on the external interface, then your test need to come in via the external interface. Just in case that your are testing from your internal network as it can't work this way...

I always combine the rdr and the pass:

```
rdr pass on nfe0 proto tcp from any to any port 50000 -> 192.168.100.20 port 80
```

cheers,
honk


----------



## hiatek (Feb 23, 2010)

I had a similar experience while testing a VPN that lives on an internal windows server, I couldnt use the full DNS name from my LAN (I could connect via the LAN IP though). Going to another network resulted in this working correctly.


----------



## DutchDaemon (Feb 23, 2010)

Note also that if you have rulesets on rl0 you will have to 'pass out' the connection on rl0 as well.


----------



## sniper007 (Feb 24, 2010)

I'll ask in this thread because don't need to open new one.

So, I'd like to know is necessary to redirect (torrent) traffic to one PC with torrent client running  behind NAT or is enough to open port in pf?

another question: in my pf.conf i have rule *block in log all*  and then open only one port which torrent client using. When torrent client running, appears alot block traffic on pflog0 on random port (UDP, TCP ald also ICMP traffic)?


----------



## DutchDaemon (Feb 24, 2010)

sniper007 said:
			
		

> So, I'd like to know is necessary to redirect (torrent) traffic to one PC with torrent client running  behind NAT or is enough to open port in pf?



You'll need to redirect your 'Internet port' to your 'PC port' using rdr and pass rules.



> another question: in my pf.conf i have rule *block in log all*  and then open only one port which torrent client using. When torrent client running, appears alot block traffic on pflog0 on random port (UDP, TCP ald also ICMP traffic)?



Welcome to the Internet! This is one of the side-effects of p2p traffic, and certainly bittorrent traffic. People jump on torrents and leave them, you'll start and stop torrents, you will temporarily throttle or disable traffic (choking and such), which leads to dropped connections. 

When your torrent client decides to drop a torrent (permanently or temporarily) it will tell the connecting peers to take a hike, but they may still try to send traffic to your now closed sessions. All of these things will show up in your logs as refused connections; it's inherent to the start-stop-wait-go-come in-back off nature of bittorrent traffic.

Also note that the open bittorrent port is only used for the initial connection from peers. After that, other ports (usually random high ports) are used to actually exchange traffic, metadata, and tracker updates.


----------



## sniper007 (Feb 24, 2010)

DutchDaemon said:
			
		

> You'll need to redirect your 'Internet port' to your 'PC port' using rdr and pass rules.




external interface: *ng0*
PC behind NAT with torrent client: *192.168.0.199*
Torrent client port: *51318*

something like that ?



> rdr pass on ng0 proto { tcp, udp } from any to ng0 port 51318 -> 192.168.0.199 port 51318


----------



## DutchDaemon (Feb 24, 2010)

That should do it yes, provided you don't have rulesets on your LAN interface, or else you'll have to make an explicit pass out rule there.

BTW, if the ports are the same you can omit the port statement on the right. By default, rdr will use the same port.


----------



## Ruler2112 (Feb 24, 2010)

honk said:
			
		

> I always combine the rdr and the pass:
> 
> ```
> rdr pass on nfe0 proto tcp from any to any port 50000 -> 192.168.100.20 port 80
> ```



Adding the pass into the rdr statement solved it!  Now I'm curious as to why the separate pass statement didn't work, but not enough to spend more time in troubleshooting it.  

Thanks for the help everybody.


----------

