Hi,
I would like to load/unload an "emule" anchor when needed.
Unfortunately it does not work as expected as ort tcp 4662 traffic coming back
to my router is still blocked.
Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0: 80.239.200.108.34965 >
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0: 212.112.238.82.13114 >
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0: 80.239.200.108.34965 >
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0: 212.112.238.82.13114 >
158.64.125.147.4662: [|tcp] (DF)
May be I misunderstood the anchors manual, but I honestly don't know what is
wrong.
I would really appreciate if you can help me on this issue.
Why is the traffic still blocked via this rule "block log (all) all", shoudn't
it pass through as the anchor rules allow the traffic?
Here is my pf.conf:
# VARIABLES SECTION #
int_if="sis0"
ext_if="pppoe0"
localnet="172.16.43.0/24"
outftp="53000:53450"
icmp_types="echoreq"
icmp_types = "echoreq"
# TABLES SECTION #
table <friends> {x,y}
table <hostile> persist
# OPTIONS SECTION #
set block-policy drop
set loginterface $ext_if
# SCRUBBING SECTION #
scrub in on $ext_if all
scrub out on $ext_if max-mss 1440
# NAT SECTION #
nat on $ext_if from $localnet to any -> ($ext_if) static-port
# REDIRECTION #
rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
-> 127.0.0.1 port ftp-proxy
rdr on $int_if proto tcp from $localnet to $int_if port ssh \
-> $int_if port 8022
rdr-anchor "authpf/*"
rdr-anchor emule
#pass quick all
block quick from <hostile>
block quick inet6 all
block log (all) all
#loopback and internal interface are ok
pass quick on lo0 all
pass quick on $int_if all
#### EXTERNAL INTERFACE ####
pass out on $ext_if inet proto tcp from ($ext_if) to any \
flags S/SA modulate state
pass out on $ext_if inet proto udp from ($ext_if) to any \
keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
port > 1023 user proxy modulate state label ftpproxy
pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
anchor emule
anchor "authpf/*"
END OF PF RULE
Here is my emule anchor (/etc/emule.pf):
ext_if = "pppoe0"
MuleIP= "172.16.43.10"
localnet= "172.16.43.0/24"
InMuleTCP = "{ 4661, 4662 }"
InMuleUDP = "{ 4665, 4672 }"
rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 -> $MuleIP port
4661:*
rdr on $ext_if proto udp from !$localnet to any port 4665 -> $MuleIP port 4665
rdr on $ext_if proto udp from !$localnet to any port 4672 -> $MuleIP port 4672
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $InMuleTCP\
flags S/SA keep state label eMuleTCP
pass in quick on $ext_if inet proto udp from any to ($ext_if) port $InMuleUDP\
keep state label eMuleUDP
END OF EMULE ANCHOR
The anchor is loaded when I need it via:
pfctl -v -a emule -f /etc/emule.pf
and unloaded
pfctl -v -a emule -Fa -sn && pfctl -v -a emule -Fa -sr
THX A LOT FOR HELPING
