From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 19:24:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1227A106567C for ; Tue, 3 Apr 2012 19:24:20 +0000 (UTC) (envelope-from mikemacleod@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id CE2AB8FC0A for ; Tue, 3 Apr 2012 19:24:19 +0000 (UTC) Received: by iahk25 with SMTP id k25so75386iah.13 for ; Tue, 03 Apr 2012 12:24:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=jBG7gDffgS8dEZyGTNfTFqIM1RuSNo9HuL//5SQ4Ov0=; b=cFONhlkAyl7inU0YH2ZlkvwUnSLfkjWg9DvK4GOgXPaj2Z1VXAs3ifH1WDYrERCPVB sFq5PZJw0/zSgg3eSr2kToe2/LL0l6bqPiP6HcT45ar4QcNvdnMVwjVUuJaD5bs8jDcm sDDXuPpYTYkjXUA1XyKLVo1uXfR9iHlg4bVhuJFam8aW+hp0sn2QrFMzgUGJv80/8Oug GPDlC4GRmw9nrjWeCIKEXIrpEhJQiexj29UL5z4PhjwPeG6LbLrb4m9O3Nneq7iP0rQc caFwm9lhEHpn2hmrUDirns03JCd+or/HRsjkEpFX4l8Lo71VHr1ulMeLG3gJBFq+A88K 0hwA== Received: by 10.50.95.167 with SMTP id dl7mr3539051igb.6.1333481059510; Tue, 03 Apr 2012 12:24:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.133.6 with HTTP; Tue, 3 Apr 2012 12:23:59 -0700 (PDT) From: Michael MacLeod Date: Tue, 3 Apr 2012 15:23:59 -0400 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF And Cone NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 19:24:20 -0000 Ladies and Gentlemen, Every once and a while I run into an issue wherein the symmetric NAT of pf causes me grief. I've found some older mailing list entries asking about PF and Cone or Full Cone NAT (such as this one from 2005: http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but I haven't seen anything new in a while. Almost all discussion I can find suggests to use static-port on the NAT rule entry, but this doesn't seem to be entirely the same thing. Adding static-port will prevent PF from randomizing the source port used for outbound TCP and UDP traffic, but I don't see any mention of it enabling actual Cone behaviour with regards to inbound traffic destined for the now-not-random port. It appears that a NAT table entry, even with the static-port option, will still not accept an inbound packet from external IP B when the NAT rule was originally created for external IP A, which I gather is the main thrust of cone NAT. I understand that cone NAT is a generally terrible and insecure way to do NAT, but game and application developers seem hell-bent on depending on cone NAT behaviour. Is there a way to make it work with PF? Regards, Mike