Re: Help npf, only one port opened, but several expected.

[mlelstv%serpens.de@localhost (Michael van Elst)]

luisvmendes%yandex.com@localhost (Luis Mendes) writes:

>Hi,

>## Issue nr 1
>I was expecting to have several ports open in my SOHO router/firewall, but =
>a scan from an outside host showed only port 11110 to be opened:

A port list works for me. I'm using lists and ranges.


>## Issue nr 2

>I need to open ports 500 and 4500 on udp, and also proto 50 to a corporate =
>laptop do connect to Forticlient vpn server.
>In OpenBSD's pf, that was accomplished with these rules:
>pass in on re0 inet proto udp from any port =3D 500 to 192.168.1.12
>pass in on re0 inet proto udp from any port =3D 4500 to 192.168.1.12
>pass in on re0 inet proto esp from any to 192.168.1.12


You need to have stateless rules for both directions. Mixing
a stateless 'in' with a stateful 'out' can have problems.
The stateless rules (with final) should then also come before
all stateful rules.

E.g. this is for regular IPSec:

        # allow known IPSEC traffic
        pass out final proto udp from $ext_v4 \
                port isakmp to $ipsec_peers port isakmp
        pass in final proto udp from $ipsec_peers \
                port isakmp to $ext_v4 port isakmp
        pass out final proto esp from $ext_v4 to $ipsec_peers
        pass in final proto esp from $ipsec_peers to $ext_v4