Re: Help npf, only one port opened, but several expected.

[Luis Mendes <luisvmendes%yandex.com@localhost>]

Em Mon, 22 Sep 2025 15:39:46 -0000 (UTC), mlelstv%serpens.de@localhost (Michael
van Elst) escreveu:

|  luisvmendes%yandex.com@localhost (Luis Mendes) writes:
|  
|  >Hi,  
|  
|  >## Issue nr 1
|  >I was expecting to have several ports open in my SOHO
router/firewall, but = |  >a scan from an outside host showed only port
11110 to be opened: |  
|  A port list works for me. I'm using lists and ranges.

Hello Michael,

Thank you for your help.

Maybe I didn't explained correctly.
What I meant is that albeit I had several ports that should be open, by
the rules, only one as detected by a massive scan.
The "should be" is in my understanding only.


|  
|  
|  >## Issue nr 2  
|  
|  >I need to open ports 500 and 4500 on udp, and also proto 50 to a
corporate = |  >laptop do connect to Forticlient vpn server.
|  >In OpenBSD's pf, that was accomplished with these rules:
|  >pass in on re0 inet proto udp from any port =3D 500 to 192.168.1.12
|  >pass in on re0 inet proto udp from any port =3D 4500 to 192.168.1.12
|  >pass in on re0 inet proto esp from any to 192.168.1.12  
|  
|  
|  You need to have stateless rules for both directions. Mixing
|  a stateless 'in' with a stateful 'out' can have problems.
|  The stateless rules (with final) should then also come before
|  all stateful rules.
|  
|  E.g. this is for regular IPSec:
|  
|          # allow known IPSEC traffic
|          pass out final proto udp from $ext_v4 \
|                  port isakmp to $ipsec_peers port isakmp
|          pass in final proto udp from $ipsec_peers \
|                  port isakmp to $ext_v4 port isakmp
|          pass out final proto esp from $ext_v4 to $ipsec_peers
|          pass in final proto esp from $ipsec_peers to $ext_v4

Regarding the $ipsec_peers, I don't have that information.
Maybe have to use 'any'.

I'll try this and get back to you.

Thank you,


Luís Mendes