Add a new rule to open a port

General questions.
Post Reply
rpc972
Posts: 6
Joined: January 8th, 2018, 7:34 pm

Add a new rule to open a port

Post by rpc972 » October 13th, 2019, 5:51 am

Hi,
Im new to firewall and try to open port 51070 for using Transmission app.

this is my rule detail :

After adding the rule, the port stay blocked
What's wrong ?
Thanks for help.
Philippe
Attachments
Capture du 2019-10-13 07-44-37.png

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Add a new rule to open a port

Post by gpatel-fr » October 13th, 2019, 8:35 am

Hello

for my rules I do the opposite of what you do: I specify the input network (RED) and don't for the destination network (what's the point ? you specifiy a destination IP address). Besides that, it's a bit odd to set an destination address that is not in the destination network.

cfusco
Posts: 184
Joined: March 23rd, 2015, 4:19 pm

Re: Add a new rule to open a port

Post by cfusco » October 13th, 2019, 9:33 am

rpc972 wrote:
October 13th, 2019, 5:51 am
Hi,
Im new to firewall and try to open port 51070 for using Transmission app.

this is my rule detail :

After adding the rule, the port stay blocked
What's wrong ?
Thanks for help.
Philippe
You need to put the port in the other field "External port (nat)". Also, the source should be "standard networks RED", as the logic is that any incoming TCP packet (from the RED) with the destination port 51070 has to be rewritten to go to the specific internal ip you have the service running on. Packets coming from the internal network do not need to be rewritten, obviously. So do not include them in the rule.

Edit: one more thing, make sure that after creating the rule you do select the most rightward checkbox (to activate it) and apply it, as once you activate it by clicking in the checkbox there will be a button to click in the page listing all the rules. Otherwise even if the rule is there it will not be used until you apply it.
Last edited by cfusco on October 13th, 2019, 10:14 am, edited 4 times in total.
Image

Alorotom
Posts: 429
Joined: March 30th, 2015, 6:56 am

Re: Add a new rule to open a port

Post by Alorotom » October 13th, 2019, 9:43 am

Hey,

according to https://wiki.ipfire.org/configuration/f ... forwarding you did it right. But the screenshot does not show whether you also set 'ACCEPT' for your rule.
Image
Image

cfusco
Posts: 184
Joined: March 23rd, 2015, 4:19 pm

Re: Add a new rule to open a port

Post by cfusco » October 13th, 2019, 9:47 am

Alorotom wrote:
October 13th, 2019, 9:43 am
Hey,

according to https://wiki.ipfire.org/configuration/f ... forwarding you did it right. But the screenshot does not show whether you also set 'ACCEPT' for your rule.
Not with the nat, you do not have that option. Destination NAT is just a rule to rewrite the destination of the incoming packet based on their TCP port, not to sort packets in the "accept" or "do not accept" buckets.
Image

Alorotom
Posts: 429
Joined: March 30th, 2015, 6:56 am

Re: Add a new rule to open a port

Post by Alorotom » October 13th, 2019, 9:55 am

@cfusco, so the Wiki is wrong?
Image
Image

cfusco
Posts: 184
Joined: March 23rd, 2015, 4:19 pm

Re: Add a new rule to open a port

Post by cfusco » October 13th, 2019, 9:56 am

gpatel-fr wrote:
October 13th, 2019, 8:35 am
Hello

for my rules I do the opposite of what you do: I specify the input network (RED) and don't for the destination network (what's the point ? you specifiy a destination IP address). Besides that, it's a bit odd to set an destination address that is not in the destination network.
You are right, the input should be RED, however, you need to specify a destination. The point of the destination NAT is to take packets coming from the WAN that have no knowledge of the topology of your network and redirect them in the specific machine of the LAN where there is a server or a process running, that will respond to those packets.
Image

cfusco
Posts: 184
Joined: March 23rd, 2015, 4:19 pm

Re: Add a new rule to open a port

Post by cfusco » October 13th, 2019, 9:58 am

Alorotom wrote:
October 13th, 2019, 9:55 am
@cfusco, so the Wiki is wrong?
No, it is correct. Why do you think what I wrote contradicts what's in there?

EDIT: I see now, I did not read the text, just looked at the image. I think it is misleading as the choice "accept" is not shown in the WUI when you select a destination NAT rule. Try yourself.
Image

Alorotom
Posts: 429
Joined: March 30th, 2015, 6:56 am

Re: Add a new rule to open a port

Post by Alorotom » October 13th, 2019, 11:11 am

@cfusco, you're right, there is no 'ACCEPT' shown when the NAT checkbox is activated.
So the text of the wiki article is wrong, at least missleading. The other given exampel of how to forward port 80 to a local webserver also does not talk about an 'ACCEPT'.

But I still don't see what OP made wrong. I think it's ideed about activating (checkbox if not set by default to active) and loading the new rule (Button on top of the rule-list).
cfusco wrote:
October 13th, 2019, 9:33 am
You need to put the port in the other field "External port (nat)".
Not to my experience and some recurring explanations on this bulletin board. It is said to first use 'Destination port' and 'External port (NAT)' can stay empty (it is assumed to be the same as 'Destination port'). If used, this would specify a translation from an external target port to a different internal target port.
Image
Image

cfusco
Posts: 184
Joined: March 23rd, 2015, 4:19 pm

Re: Add a new rule to open a port

Post by cfusco » October 13th, 2019, 11:21 am

@Alorotom
I completely agree with everything you wrote. About the destination ports, I tried with either external NAT or destination (leaving the other one empty) and as you said, it works. Both ways. It makes sense that you can rewrite the incoming packets to a different port as well. Thanks for clarifying that for me. It should be documented in the wiki. Yes, the only explanation is that OP did not activate the rule. About the wiki, it is possible that when it was written the WUI was different from today. In any case, it should be corrected. I will try to do that, but my account does not work right now and I need to sort that first.
Image

Alorotom
Posts: 429
Joined: March 30th, 2015, 6:56 am

Re: Add a new rule to open a port

Post by Alorotom » October 13th, 2019, 12:31 pm

cfusco wrote:
October 13th, 2019, 11:21 am
About the wiki, it is possible that when it was written the WUI was different from today. In any case, it should be corrected. I will try to do that, but my account does not work right now and I need to sort that first.
Mine neither. Maintainers are to short in time to fix that. Arne posted a few days ago that Michael is looking for support on that. My former account does not seem to work since the server migration, wiki returns an 'Error 401' on trying to login. Others trying to register report that they never receive an acknowledge mail.

If you can sort that out right now, please let me know.

Alorotom
Image
Image

rpc972
Posts: 6
Joined: January 8th, 2018, 7:34 pm

Re: Add a new rule to open a port

Post by rpc972 » October 16th, 2019, 8:01 pm

I don't understand if i need NAT or not.

If it's possible, give me a rule example

(sorry for my english, im French)

Thanks

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Add a new rule to open a port

Post by gpatel-fr » October 16th, 2019, 8:30 pm

rpc972 wrote:
October 16th, 2019, 8:01 pm
I don't understand if i need NAT or not.
If what you want is to allow access to the port 51070 of a computer at IP address 192.168.0.6, coming on port 51070 on the RED interface of your Ipfire firewall, you need the NAT, and you should be good by setting the source network to RED and UNsetting the destination network.

Note that if your destination computer is indeed on the Blue network (IP network 192.168.2.0/24), it's IP address can't be 192.168.0.6.

Post Reply