Start at Part 1

Xbox 360 and File Server access

Reference: The Book of PF

In this post I’ll describe how I accomplished two goals, as well as talk about a little trick for debugging what is blocked. The two goals are allowing my XBox 360 connect to Xbox Live through my OpenBSD firewall, and Port-forward to my file server so I can access my files remotely.

Let’s start with the Xbox 360. This is very minimal change from Part 4. In Part 4 we created two macros for allowed client services, the services we allow hosts on our local network to utilize, see here:

client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap,
imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

The Xbox 360 uses TCP port 3074, and UDP ports 88 and 3074 so we just need to add these to those macros, seen here:

client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 3074 }"
client_udp_services = "{ domain, bootps, 67, 88, 3074  }"

Next, I set up NAPT or Network Address Port Translation. I redirect port 5022 on the external interface of my OpenBSD router to port 22 of my file server. This will allow me to SSH, SFTP and RSYNC to/from it when I’m away from home. To do this I need to add a single PF RDR rules, seen here:

# file server
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 5022 -> $file_server port 22

Now I just reload my rules, first checking with pfctl -nf /etc/pf.conf as previously described, then loading with pfctl -f /etc/pf.conf.

One last thing is to describe a method for debugging why connections might be failing. In Part 4 I described blocking all unintended traffic with “block all”. For debugging I’m going to change this to “block log all”.

Now, when ever connectivity issues occur, debugging is simple running the following tcpdump:

# tcpdump -netvvi pflog0

As log as no other lines are configured to log, all output from this command will just describe traffic being blocked.

Our final /etc/pf.conf for this part of the project:

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 3074 }"
client_udp_services = "{ domain, bootps, 67, 88, 3074  }"

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

# file server
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 5022 -> $file_server port 22

block log all
set skip on lo

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

Continue to Step 6.

Categories: Projects