Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UPNP?

    2.1 Snapshot Feedback and Problems - RETIRED
    6
    31
    10.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tikimotel
      last edited by

      A snipped from "/tmp/rules.debug"
      Why is the miniupnpd anchor not ending in "/*"

      # Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"

# Setup Squid proxy redirect
no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

# UPnPd rdr anchor
rdr-anchor "miniupnpd" (Why NOT "miniupnpd/*" ???)

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------

      pfctl -vvsr results in no anchors named "miniupnpd"

      $ pfctl -vvsr
@0 scrub on em0 all fragment reassemble
  [ Evaluations: 28002     Packets: 9561      Bytes: 1992949     States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@1 scrub on em1 all fragment reassemble
  [ Evaluations: 18441     Packets: 18225     Bytes: 3932485     States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@0 anchor "relayd/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@1 anchor "openvpn/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@2 anchor "ipsec/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@3 block drop in inet all label "Default deny rule IPv4"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@4 block drop out inet all label "Default deny rule IPv4"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@5 block drop in inet6 all label "Default deny rule IPv6"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@6 block drop out inet6 all label "Default deny rule IPv6"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@26 block drop quick inet proto tcp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@27 block drop quick inet proto tcp from any to any port = 0
  [ Evaluations: 1904      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@28 block drop quick inet proto udp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@29 block drop quick inet proto udp from any to any port = 0
  [ Evaluations: 985       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@30 block drop quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@31 block drop quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@32 block drop quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@33 block drop quick inet6 proto udp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@34 block drop quick from <snort2c:0> to any label "Block snort2c hosts"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@35 block drop quick from any to <snort2c:0> label "Block snort2c hosts"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@36 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@37 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = http label "webConfiguratorlockout"
  [ Evaluations: 1812      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@38 block drop in quick from <virusprot:0> to any label "virusprot overload table"
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@39 block drop in quick on em0 from <bogons:4652> to any label "block bogon IPv4 networks from WAN"
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@40 block drop in quick on em0 from <bogonsv6:68028> to any label "block bogon IPv6 networks from WAN"
  [ Evaluations: 139       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@41 block drop in on ! em0 inet from 84.xxx.xxx.0/23 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@42 block drop in inet from 84.xxx.xxx.221 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@44 block drop in quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  [ Evaluations: 139       Packets: 139       Bytes: 50929       States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@45 block drop in quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@46 block drop in quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@47 block drop in quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@48 block drop in quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@49 block drop in quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@52 block drop in on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@53 block drop in inet from 192.168.0.1 to any
  [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
  [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 2181      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 934       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@64 pass out route-to (em0 84.xxx.xxx.1) inet from 84.xxx.xxx.221 to ! 84.xxx.xxx.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 567       Packets: 4352      Bytes: 2038614     States: 17    ]
  [ Inserted: uid 0 pid 73134 ]
@65 anchor "userrules/*" all
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@66 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@67 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1714      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@68 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1714      Packets: 1197      Bytes: 890290      States: 2     ]
  [ Inserted: uid 0 pid 73134 ]
@69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 369       Packets: 628       Bytes: 66445       States: 1     ]
  [ Inserted: uid 0 pid 73134 ]
@71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
  [ Evaluations: 1847      Packets: 1694      Bytes: 86336       States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
  [ Evaluations: 153       Packets: 4824      Bytes: 2762700     States: 18    ]
  [ Inserted: uid 0 pid 73134 ]
@80 anchor "tftp-proxy/*" all
  [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:68028></bogons:4652></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>

      $ pfctl -sn -a miniupnpd
rdr log quick on em0 inet proto udp from any to any port = 17040 keep state label "Skype UDP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
rdr log quick on em0 inet proto tcp from any to any port = 17040 keep state label "Skype TCP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So yeah if I do a manual nat - its works no problem, see attached

        canyouseeme goes back to 80 when you do the test, but clearly in the ouput you see that its saying 3389 is open  to the public.  When UPnP says that it opens this port, firewall blocks it and canyouseeme reports closed/timeout/etc.

        nat.png
        nat.png_thumb
        staticworks.png
        staticworks.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          athurdent
          last edited by

          @Tikimotel:

          Why is the miniupnpd anchor not ending in "/*"

          The INSTALL file of the source code (miniupnpd-1.8.20130207.tar.gz) suggests the following:

          - add "rdr-anchor miniupnpd" and "anchor miniupnpd" lines to /etc/pf.conf
- some FreeBSD users reported that it is also necessary for them
  to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
  lines to /etc/pf.conf :
   pass out on $int_if from any to 239.0.0.0/8 keep state
   pass in on $int_if from any to 239.0.0.0/8 keep state

          pfctl -vvsn

          show the following on my system:

          @7 rdr-anchor "miniupnpd" all
  [ Evaluations: 46940     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 48152 ]

          But I am no using UPNP, so that's OK.
          Would be interesting to see, if your systems show non-zero values there.

          Edit: and it would be good to have the actual raw firewall logs of the blocked traffic.

          1 Reply Last reply Reply Quote 0
          • T
            Tikimotel
            last edited by

            the INSTALL file says to add both, rdr-anchor and anchor entries.

            pfctl -vvsn

            $ pfctl -vvsn
@0 no nat proto carp all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 nat-anchor "natearly/*" all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 nat-anchor "natrules/*" all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 nat on em0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
  [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 nat on em0 inet from 192.168.0.0/24 to any -> 84.xxx.xx3.221 port 1024:65535
  [ Evaluations: 13457     Packets: 4057605   Bytes: 3705179324  States: 267   ]
  [ Inserted: uid 0 pid 31155 ]
@6 nat on em0 inet from 127.0.0.0/8 to any -> 84.xxx.xx3.221 port 1024:65535
  [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@0 no rdr proto carp all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 rdr-anchor "relayd/*" all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 rdr-anchor "tftp-proxy/*" all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 no rdr on em1 inet proto tcp from any to 192.168.0.0/16 port = http
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 no rdr on em1 inet proto tcp from any to 172.16.0.0/12 port = http
  [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 no rdr on em1 inet proto tcp from any to 10.0.0.0/8 port = http
  [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@6 rdr on em1 inet proto tcp from any to ! (em1:1) port = http -> 127.0.0.1 port 3128
  [ Evaluations: 5241      Packets: 5044      Bytes: 3257109     States: 1     ]
  [ Inserted: uid 0 pid 31155 ]
@7 rdr-anchor "miniupnpd" all
  [ Evaluations: 28566     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]

            pfctl -vvsr

            $ pfctl -vvsr
@0 scrub on em0 all fragment reassemble
  [ Evaluations: 14128596  Packets: 7067707   Bytes: 986362156   States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 scrub on em1 all fragment reassemble
  [ Evaluations: 7060889   Packets: 7060521   Bytes: 989205780   States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@0 anchor "relayd/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 anchor "openvpn/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 anchor "ipsec/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 39657     Packets: 12604     Bytes: 796042      States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 block drop out log inet all label "Default deny rule IPv4"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 block drop in log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@6 block drop out log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@26 block drop quick inet proto tcp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@27 block drop quick inet proto tcp from any to any port = 0
  [ Evaluations: 18915     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@28 block drop quick inet proto udp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@29 block drop quick inet proto udp from any to any port = 0
  [ Evaluations: 20680     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@30 block drop quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@31 block drop quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@32 block drop quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@33 block drop quick inet6 proto udp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@34 block drop quick from <snort2c:0>to any label "Block snort2c hosts"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@35 block drop quick from any to <snort2c:0>label "Block snort2c hosts"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@36 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@37 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = http label "webConfiguratorlockout"
  [ Evaluations: 14044     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@38 block drop in quick from <virusprot:0>to any label "virusprot overload table"
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@39 block drop in log quick on em0 from <bogons:10>to any label "block bogon IPv4 networks from WAN"
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@40 block drop in log quick on em0 from <bogonsv6:0>to any label "block bogon IPv6 networks from WAN"
  [ Evaluations: 12846     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@41 block drop in on ! em0 inet from 84.xxx.xx2.0/23 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@42 block drop in inet from 84.xxx.xx3.221 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@44 block drop in log quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  [ Evaluations: 12846     Packets: 242       Bytes: 89350       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@45 block drop in log quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@46 block drop in log quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@47 block drop in log quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@48 block drop in log quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@49 block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 18042     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@52 block drop in on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 39415     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@53 block drop in inet from 192.168.0.1 to any
  [ Evaluations: 26783     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
  [ Evaluations: 26760     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 14132     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 2         Packets: 3         Bytes: 1232        States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 19931     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 39413     Packets: 184       Bytes: 14796       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 39413     Packets: 1502      Bytes: 388250      States: 2     ]
  [ Inserted: uid 0 pid 31155 ]
@63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@64 pass out route-to (em0 84.xxx.xx2.1) inet from 84.xxx.xx3.221 to ! 84.xxx.xx2.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 12655     Packets: 4049547   Bytes: 3701333567  States: 177   ]
  [ Inserted: uid 0 pid 31155 ]
@65 anchor "userrules/*" all
  [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@66 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@67 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1987      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@68 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1987      Packets: 2933      Bytes: 2349344     States: 2     ]
  [ Inserted: uid 0 pid 31155 ]
@69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 1960      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 7279      Packets: 940       Bytes: 91307       States: 5     ]
  [ Inserted: uid 0 pid 31155 ]
@71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 1968      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1968      Packets: 452       Bytes: 90991       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1921      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
  [ Evaluations: 13597     Packets: 1926      Bytes: 98442       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
  [ Evaluations: 11671     Packets: 4049388   Bytes: 3702156825  States: 164   ]
  [ Inserted: uid 0 pid 31155 ]
@80 anchor "tftp-proxy/*" all
  [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:0></bogons:10></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>

            That is with utorrent opening 22425 (tcp/udp) using upnp. (internal utorrent portforwarding test states OK, but traffic get blocked by the default rule)
            RAW firewall logging

            Feb 17 14:29:10	pf: 208.94.246.12.59207 > 84.xxx.xxx.xxx.52631: Flags [s], cksum 0x8c13 (correct), seq 3040150792, win 7300, options [mss 1460,sackOK,TS val 93819911 ecr 0,nop,wscale 0], length 0
Feb 17 14:29:10	pf: 00:00:00.032232 rule 3/0(match): block in on em0: (tos 0x0, ttl 52, id 37135, offset 0, flags [DF], proto TCP (6), length 60)
Feb 17 14:29:10	pf: 90.38.197.137.61089 > 192.168.0.51.22425: Flags [s], cksum 0x8c47 (correct), seq 106599862, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
Feb 17 14:29:10	pf: 00:00:00.000701 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20243, offset 0, flags [DF], proto TCP (6), length 52)
Feb 17 14:29:10	pf: 90.38.197.137.28344 > 192.168.0.51.22425: UDP, length 30
Feb 17 14:29:10	pf: 00:00:00.007670 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20242, offset 0, flags [none], proto UDP (17), length 58)
Feb 17 14:29:10	pf: 213.220.227.57.53390 > 192.168.0.51.22425: Flags [s], cksum 0x43d8 (correct), seq 3521645254, win 8960, options [mss 8960,sackOK,TS val 120667621 ecr 0,nop,wscale 4], length 0
Feb 17 14:29:10	pf: 00:00:00.040965 rule 3/0(match): block in on em0: (tos 0x0, ttl 54, id 14115, offset 0, flags [DF], proto TCP (6), length 60)
Feb 17 14:29:10	pf: 77.41.15.219.55721 > 84.xxx.xxx.xxx.46657: UDP, length 20
Feb 17 14:29:10	pf: 00:00:00.750937 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 28101, offset 0, flags [none], proto UDP (17), length 48)
Feb 17 14:29:10	pf: 95.236.57.133.18746 > 192.168.0.51.22425: Flags [s], cksum 0x113d (correct), seq 2237709668, win 8192, options [mss 1442,nop,wscale 8,nop,nop,sackOK], length 0
netstat -rn
[code]$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            84.xxx.xx2.1       UGS         0   174916    em0
84.xxx.xx2.0/23    link#1             U           0      704    em0
84.xxx.xx3.221     link#1             UHS         0        0    lo0
127.0.0.1          link#5             UH          0       58    lo0
192.168.0.0/24     link#2             U           0  7241831    em1
192.168.0.1        link#2             UHS         0      832    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UH          lo0
fe80::%em0/64                     link#1                        U           em0
fe80::6a05:caff:fe0f:c58%em0      link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::6a05:caff:fe0f:c59%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#5                        U           lo0
fe80::1%lo0                       link#5                        UHS         lo0
ff01::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
ff01::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
ff02::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0[/code]
cat /tmp/rules.debug
[code]$ cat /tmp/rules.debug
set limit tables 3000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 894000
set limit src-nodes 894000

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"

#SSH Lockout Table
table <sshlockout> persist
table <webconfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <negate_networks> 

# User Aliases 
table <managementhosts> {   192.168.0.0/25 } 
ManagementHosts = "<managementhosts>"
ManagementPorts = "{   443  22  80 }"
ProxyPorts = "{   3128 }"
UpnpPorts = "{   2189  5153 }"

# Gateways
GWWAN = " route-to ( em0 84.xxx.xx2.1 ) "

set loginterface em1

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ 192.168.0.0/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 84.xxx.xx3.221/32 port 500  
nat on $WAN  from $tonatsubnets to any -> 84.xxx.xx3.221/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"

# Setup Squid proxy redirect
no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout> to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons> to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
antispoof for em0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for em1
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( em0 84.xxx.xx2.1 ) from 84.xxx.xx3.221 to !84.xxx.xx2.0/23 keep state allow-opts label "let out anything from firewall host itself"

# User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $LAN  proto tcp  from   $ManagementHosts to 192.168.0.1 port $ManagementPorts  flags S/SA keep state  label "USER_RULE: Allow access to firewall management"
pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 53  keep state  label "USER_RULE: Allow internal network to DNS forwarder"
pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 123  keep state  label "USER_RULE: Allow internal network to NTPd server"
pass  in  quick  on $LAN  proto tcp  from 192.168.0.0/24 to 192.168.0.1 port $UpnpPorts  flags S/SA keep state  label "USER_RULE: Allow internal network to upnp and nat-pmp"
pass  in  quick  on $LAN  from 192.168.0.0/24 to   224.0.0.0/8 keep state  label "USER_RULE: Allow multicast"
pass  in  quick  on $LAN  from 192.168.0.0/24 to   239.0.0.0/30 keep state  label "USER_RULE: Allow multicast"
pass  in  quick  on $LAN  proto icmp  from 192.168.0.0/24 to 192.168.0.1 keep state  label "USER_RULE: Allow internal network to ping LAN IP"
block  in  quick  on $LAN  from any to 192.168.0.1  label "USER_RULE: Reject all else to LAN IP"
pass  in  quick  on $LAN  from 192.168.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"

# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

# VPN Rules
anchor "tftp-proxy/*"

# Setup squid pass rules for proxy
pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
pass in quick on em1 proto tcp from any to !(em1) port 3128 flags S/SA keep state
[/code]

![Utorrent-test.png](/public/_imported_attachments_/1/Utorrent-test.png)
![Utorrent-test.png_thumb](/public/_imported_attachments_/1/Utorrent-test.png_thumb)
![pfsense_unpnstatus.png](/public/_imported_attachments_/1/pfsense_unpnstatus.png)
![pfsense_unpnstatus.png_thumb](/public/_imported_attachments_/1/pfsense_unpnstatus.png_thumb)[/s][/s][/s][/s]</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></managementhosts></managementhosts></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>
            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

              Should be fixed by https://github.com/pfsense/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

              Not sure how mine worked without that anchor, but it was working for me.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                just did a gitsync - and shazam there you go Working!

                I don't really use it, but sure the guys that do will be happy its working again..  Sweet how some reporting of details and issue fixed..

                Got to love the pfsense crew!  Thanks guys!!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • T
                  Tikimotel
                  last edited by

                  gitsync saved the day!
                  miniupnpd is working again thanks. ;D

                  1 Reply Last reply Reply Quote 0
                  • G
                    gloomrider
                    last edited by

                    @jimp:

                    OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

                    Should be fixed by https://github.com/bsdperimeter/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

                    Not sure how mine worked without that anchor, but it was working for me.

                    Well Jim, since you figured it out before I had to go through your list of tasks, I made a small donation to the project.  ;D

                    Oh, and thanks, of course!!!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Thanks!

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • F
                        foonus
                        last edited by

                        @johnpoz:

                        just did a gitsync - and shazam there you go Working!

                        I don't really use it, but sure the guys that do will be happy its working again..  Sweet how some reporting of details and issue fixed..

                        Got to love the pfsense crew!  Thanks guys!!

                        Yep, quite impressive, Everything running smoothly, cant ask for more.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.