Date: Sun, 20 Mar 2022 12:56:15 +0100 From: Harry Schmalzbauer <freebsd@omnilan.de> To: freebsd-net@freebsd.org Subject: pf(4) action match/overload somehow? Message-ID: <6142d0eb-f73f-13cf-4f7f-67b2395f4709@omnilan.de>
next in thread | raw e-mail | index | archive | help
Hello,
the following real-world proglem urged me to allow UDP connections from
LAN to any.
STUN is used to establish a fictious UDP connection to the connecting
peer on a specific port, to drill the state-hole.
Therefore, I have these translation rules added before the general
(non-"static-port" <- the NAT UDP-traversal key) translation rules
(translation is a first-match-wins):
nat on $INTERLINK_IF4 inet proto tcp from <cml_lansrc-approvedrtc> to
<wknfriendly_cmlapproved-stun> port { 3478 5349 } -> $WANCMLnat static-port
nat on $INTERLINK_IF4 inet proto udp from <cml_lansrc-approvedrtc> to !
($INTERLINK_IF4:0:network) port >= 1024 -> $WANCMLnat static-port
The corresponding filter rules looks like this for my example:
pass in quick on $CML_IF inet proto { tcp udp } from
<cml_lansrc-approvedrtc> to { <wknfriendly_cmlapproved-stun>
<wknfriendly_cmlapproved-turn> } port { 3478 5349 } tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc> to
<wknfriendly_cmlapproved-turn> port >= 49152 tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc>
port > 1023 to any port >= 1023 tag INTERLINK-op
(actually "any" reads "! <_directnetaddrs-auto>", but it's of no matter
to this topic and just more confusing in case...)
My problem is, I have to generously add any potential LAN client to
<cml_lansrc-approvedrtc>, which I'd like to avoid (especially for the
any-destination rule - last one above).
One way to avoid this was if I could use something like a "match" action
in combination with what state option "overload" provides:
Do something on rule hit - filling table in this case, which could look
like this:
\<Non-existing rule syntax\>
match in record-srcip on $IF inet proto { tcp udp } from $IF to
<wknfriendly_cmlapproved-stun> port 3478 table <cml_lansrc-approvedrtc>
\</Non-existing rule syntax\>
This way, the permission to connect with global IP (and orginating
src-port) to any UDP destination is only allowed for clients, which have
previously talked to one of our well known and approved STUN servers.
Any idea if there's already something in pf(4) which could provide a
similar solution?
"overload" only is available for |max-src-conn and |||max-src-conn-rate,
which in turn is for TCP only.||
||
||
||Thanks,||
||-harry
||
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6142d0eb-f73f-13cf-4f7f-67b2395f4709>