# pf and transmission-daemon



## gyoku (Apr 4, 2013)

I was quite familiar with pf, but I didn't use it during like 3 or 4 years. Yeah I used things like ufw and iptables on linux releases. Well, my pf block my transmission-daemon (bittorrent software) and I don't know why. I opened the tcp port for it. Here is my pf.conf


```
ext_if = "em0"
tcp_port = "{ 2232, 9091, 55437 }"
# on filtre pas le bouclage sinon Ã§a va chier
set skip on lo0

# on normalise 
scrub in all

# on bloque tout
block in all

# on fait passer le ssh en 2232, le transmission-remote en 9091
# sans oublier les peers en 55437 pour le transmission

pass in log on $ext_if proto tcp from any to any port $tcp_port

antispoof for em0 inet
antispoof for em0 inet6
```

If someone could tell me where I'm wrong? ( 2232 is ssh, 9091 transmission-remote en 55437 transmission-daemon).

Thanks a lot in advance.


----------



## SirDice (Apr 4, 2013)

You need to allow both UDP and TCP on the transmission port. And I suggest not opening the tranmission remote port to the outside world. I don't really know how secure the interface is and it's better to be safe than sorry.


----------



## kpa (Apr 4, 2013)

It's better to use ssh(1) forwarding to access the web gui on port 9091.


----------



## SirDice (Apr 4, 2013)

kpa said:
			
		

> It's better to use ssh(1) forwarding to access the web gui on port 9091.



The web GUI works well for me. If you use Firefox there's also an extension that allows you to right click on torrent links and "Send to transmission".


----------



## gyoku (Apr 4, 2013)

Now my PF blocks also my SSH. I don't know why. *H*ere's the pf.conf, *I* really don't understand why it's not working.


```
ext_if = "em0"
tcp_port = "{ 2232, 9091, 55437 }"
# on filtre pas le bouclage sinon Ã§a va chier
set skip on lo0

# on normalise pour pas se faire ddos comme une merde
scrub in all

# on bloque tout
block in all

# on fait passer le ssh en 2232, le transmission-remote en 9091
# sans oublier les peers en 55437 pour le transmission

pass in log on $ext_if proto tcp from any to any port $tcp_port
pass in on $ext_if proto udp from any to any port 55437


antispoof for em0 inet
antispoof for em0 inet6
```


----------



## gyoku (Apr 4, 2013)

I erased "log". Now *I* can access SSH again. But transmission-daemon is still blocked. Can't connect to any tracker, and when *I* check the port through transmission-remote, it replies with connection timed out.

transmission-daemon needs something else? *L*ike a flag in rc.conf?


----------



## SirDice (Apr 4, 2013)

I use it together with net/miniupnpd so it can open and forward a port dynamically. But that shouldn't be necessary, as long as the correct port is open.

One thing I realized, the machine is directly connected to the internet? I mean there's no need for NAT or anything like that?


----------



## gyoku (Apr 4, 2013)

Thanks a lot for your reply.

It's an OVK Kimsufi dedicated server. It doesn't need NAT I think.

I will try with miniupnpd. On an other server, (well it's OpenBSD), this pf.conf works smoothly. *H*ere is my settings.json.


```
{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "blocklist-url": "http://www.example.com/blocklist",
    "cache-size-mb": 4,
    "dht-enabled": false,
    "download-dir": "/home/pierre/downloads",
    "download-queue-enabled": false,
    "download-queue-size": 5,
    "encryption": 1,
    "idle-seeding-limit": 30,
    "idle-seeding-limit-enabled": false,
    "incomplete-dir": "/root/Downloads",
    "incomplete-dir-enabled": false,
    "lpd-enabled": false,
    "message-level": 2,
    "peer-congestion-algorithm": "",
    "peer-limit-global": 240,
    "peer-limit-per-torrent": 60,
    "peer-port": 55437,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": false,
    "peer-socket-tos": "default",
    "pex-enabled": true,
    "pidfile": "/var/run/transmission/daemon.pid",
    "port-forwarding-enabled": false,
    "preallocation": 1,
    "prefetch-enabled": 1,
    "queue-stalled-enabled": true,
    "queue-stalled-minutes": 30,
    "ratio-limit": 2,
    "ratio-limit-enabled": false,
    "rename-partial-files": true,
    "rpc-authentication-required": false,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-password": "*******",
    "rpc-port": 9091,
    "rpc-url": "/transmission/",
    "rpc-username": "****",
    "rpc-whitelist": "127.0.0.1,128.79.*.83",
    "rpc-whitelist-enabled": true,
    "scrape-paused-torrents-enabled": true,
    "script-torrent-done-enabled": false,
    "script-torrent-done-filename": "",
    "seed-queue-enabled": false,
    "seed-queue-size": 10,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 100,
    "speed-limit-up-enabled": false,
    "start-added-torrents": true,
    "trash-original-torrent-files": false,
    "umask": 18,
    "upload-slots-per-torrent": 14,
    "utp-enabled": true
}
```

PS: my *E*nglish is not perfect, it's my third language .


----------



## CoTones (Apr 4, 2013)

Adding "log" to "block in all" and reading logs - is what you need only.


----------



## SirDice (Apr 4, 2013)

Try adding a rule to allow outgoing traffic. I know PF _should_ allow all traffic by default but I've had some weird issues with it. Specifically opening up outgoing traffic seems to work better.

If it's a dedicated (or VPS) server you don't need NAT, you are directly connected to the internet.


----------



## gyoku (Apr 4, 2013)

I checked the log, it was not specified that it blocked transmission BUT @SirDice you were right. I first added pass out for the specific port of transmission-daemon. Didn't work. After I did like you said. Added "pass out all" rule, it worked.

I did a [CMD=]kldstat[/CMD] to check and PF is working.

It is a bug or something like that? Well anyway thanks a lot!


----------



## CoTones (Apr 4, 2013)

Well, this is the packet filter, so dropping packets not allowed by rules is simple logic.


----------



## gyoku (Apr 4, 2013)

Without any rules PF does nothing. Try an empty pf.conf and you will see it.

Something like block in all and block out all or simple block all should do it.


----------

