From owner-freebsd-ipfw@FreeBSD.ORG  Sun Apr 12 01:56:51 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EF1E5106566C;
	Sun, 12 Apr 2009 01:56:51 +0000 (UTC)
	(envelope-from mi+thun@aldan.algebra.com)
Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224])
	by mx1.freebsd.org (Postfix) with ESMTP id A52EC8FC14;
	Sun, 12 Apr 2009 01:56:50 +0000 (UTC)
	(envelope-from mi+thun@aldan.algebra.com)
Received: from aldan.algebra.com (localhost [127.0.0.1])
	by aldan.algebra.com (8.14.3/8.14.3) with ESMTP id n3C1bK2A055292;
	Sat, 11 Apr 2009 21:37:21 -0400 (EDT)
	(envelope-from mi+thun@aldan.algebra.com)
Message-ID: <49E145D0.4060609@aldan.algebra.com>
Date: Sat, 11 Apr 2009 21:37:20 -0400
From: "Mikhail T." <mi+thun@aldan.algebra.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090407)
MIME-Version: 1.0
To: net@FreeBSD.org, ipfw@FreeBSD.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: natd interferes with incoming RTSP/RTP
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Apr 2009 01:56:52 -0000

Hello!

I'm trying to watch video via RTSP/RTP from a remote net-camera on my
7.0-STABLE/i386 from July 6th:

    vlc --verbose 2
    rtsp://user:password@remote.example.com/nphMpeg4/g726-320x240

Things work fine, when my machine has the firewall disabled.
Unfortunately, the machine is also in charge of protecting and NAT-ing
for a small LAN, s keeping the ipfw down for long is not an option. Yet,
with my usual firewall setup (the modified "simple" -- altered to not
care, what the outside IP-address is, because it changes via DHCP),
things time-out...


However, if I disable just one of the rules below -- 1300, the one
diverting all traffic to natd -- the video works fine... So it is not
any of the other rules, that are the problem, nor is it the remote
server... Why would this happen and how do I solve the problem? Thanks!
Yours,

    -mi

P.S. Output of /etc/rc.d/ipfw showing the rules, etc.

    net.inet.ip.fw.enable: 1 -> 0
    Stopping natd.
    Waiting for PIDS: 62054, 62054, 62054, 62054, 62054.
    Starting natd.
    Loading /lib/libalias_cuseeme.so
    Loading /lib/libalias_ftp.so
    Loading /lib/libalias_irc.so
    Loading /lib/libalias_nbt.so
    Loading /lib/libalias_pptp.so
    Loading /lib/libalias_skinny.so
    Loading /lib/libalias_smedia.so
    Flushed all rules.
    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    00400 deny ip from 192.168.1.0/24 to any in via nve0
    00500 deny ip from any to 10.0.0.0/8 via nve0
    00600 deny ip from any to 172.16.0.0/12 via nve0
    00700 deny ip from any to 192.168.0.0/16 via nve0
    00800 deny ip from any to 0.0.0.0/8 via nve0
    00900 deny ip from any to 169.254.0.0/16 via nve0
    01000 deny ip from any to 192.0.2.0/24 via nve0
    01100 deny ip from any to 224.0.0.0/4 via nve0
    01200 deny ip from any to 240.0.0.0/4 via nve0
    /01300 divert 8668 ip from any to any via nve0/
    01400 deny ip from 10.0.0.0/8 to any via nve0
    01500 deny ip from 172.16.0.0/12 to any via nve0
    01600 deny ip from 192.168.0.0/16 to any via nve0
    01700 deny ip from 0.0.0.0/8 to any via nve0
    01800 deny ip from 169.254.0.0/16 to any via nve0
    01900 deny ip from 192.0.2.0/24 to any via nve0
    02000 deny ip from 224.0.0.0/4 to any via nve0
    02100 deny ip from 240.0.0.0/4 to any via nve0
    02200 allow tcp from any to any established
    02300 allow ip from any to any frag
    02400 allow tcp from any to any dst-port 22 setup
    02500 allow tcp from any to any dst-port 25 setup
    02600 allow tcp from any to any dst-port 53 setup
    02700 allow udp from any to any dst-port 53
    02800 allow udp from any 53 to any
    02900 allow tcp from any to any dst-port 80 setup
    03000 allow tcp from any to any dst-port 2875 setup
    03100 allow tcp from any to any dst-port 2885 setup
    03200 allow tcp from any to any dst-port 2890 setup
    03300 allow tcp from any to any dst-port 2895 setup
    03400 allow tcp from any to any dst-port 2990 setup
    03500 deny log logamount 100 tcp from any to any in via nve0 setup
    03600 allow tcp from any to any setup
    03700 allow udp from any to any dst-port 53 keep-state
    03800 allow udp from any to any dst-port 123 keep-state
    Firewall rules loaded.
    net.inet.ip.fw.enable: 0 -> 1