From owner-freebsd-net@FreeBSD.ORG Mon Apr 30 00:03:49 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D99C1106566C for ; Mon, 30 Apr 2012 00:03:49 +0000 (UTC) (envelope-from mikemacleod@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id A14498FC0A for ; Mon, 30 Apr 2012 00:03:49 +0000 (UTC) Received: by iahk25 with SMTP id k25so4820970iah.13 for ; Sun, 29 Apr 2012 17:03:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=kWQszmu5sxiLNY5XF4z/JpwEsnUadOnKyaHJv3R4ET4=; b=EgQ9Ua18Ksl9WNS1WlzHFadXb/294ymd1p8p0W6WNFtz+zor3sca2Oxk8MH6USG1H/ CPDFUU04kXDYA4KvahjiTdaVshqJirD43D4wxDsKAFk9ljg+c/R77Ol2MSYML+hsBvLr n3aN/hlEexbKWVMOf+b5aMBYPGLZTteofKRCQXv4WuQrm/N24/znpTyeFwlAwxghPNuK v+2T9L3ATa18kqT3ZVOLyoxn6BUeN5pf0wu/1edrpUAm6aipCPCeiLVQ4uJ1+/IoCJG7 vNNcYGhUBfRRzYVSbfnNA0798QeKQ2UopIvfQnH9bh7k1xoWJAZ1ONOWWATKeNz1FkyD cpkw== Received: by 10.50.193.132 with SMTP id ho4mr8713831igc.17.1335744223384; Sun, 29 Apr 2012 17:03:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.133.6 with HTTP; Sun, 29 Apr 2012 17:03:23 -0700 (PDT) From: Michael MacLeod Date: Sun, 29 Apr 2012 20:03:23 -0400 Message-ID: To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Full Cone NAT In PF X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2012 00:03:50 -0000 Hello FreeBSD-Net, Every once and a while I run into an issue wherein the symmetric NAT of pf causes me grief. I've found some older mailing list entries asking about PF and Cone or Full Cone NAT (such as this one from 2005: http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but I haven't seen anything new in a while. Almost all discussion I can find suggests to use static-port on the NAT rule entry, but this doesn't seem to be entirely the same thing. Adding static-port will prevent PF from randomizing the source port used for outbound TCP and UDP traffic, but I don't see any mention of it enabling actual Cone behaviour with regards to inbound traffic destined for the now-not-random port. It appears that a NAT table entry, even with the static-port option, will still not accept an inbound packet from external IP B when the NAT rule was originally created for external IP A, which I gather is the main thrust of cone NAT. I understand that cone NAT is a generally terrible and insecure way to do NAT, but game and application developers seem hell-bent on depending on cone NAT behaviour. Is there a way to make it work with PF? Regards, Mike