From owner-freebsd-net@FreeBSD.ORG Mon Apr 30 02:47:25 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16F9C106566B for ; Mon, 30 Apr 2012 02:47:24 +0000 (UTC) (envelope-from zbeeble@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 554B38FC08 for ; Mon, 30 Apr 2012 02:47:24 +0000 (UTC) Received: by bkvi17 with SMTP id i17so1105167bkv.13 for ; Sun, 29 Apr 2012 19:47:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JJltr+8NwGjvmGhRbs3qEgi+LBbh5AwwGhsSWAnaw+c=; b=OC14UikKoYRnBR68V9HYTtkPoxTbCeAX8gS/yf4hOSHfY/kWlD25/90DZl40xbEe3m pTEYcmlwQwGpVf4OJ8lkWDkh8GdRgjG2YKwIhvSXxMldsVc0zIOIseLK6rFPWA/CZEdC UoQAgDyinPYvSpkzoAljDEOhtCv7mCCBAYSmv8XRvHKCOUOeXFTjPDtztYhVGZ95bosR 4t1ap1PNTshjRK3a+JrIncGokprUYZ//JDkq52Xuz/kpAczXm8X6OTmopcr56aJTIN/8 s2ibuaX1gB419LOjc/1L3aWeKMXjfOSlkcYOvpX9/deEd68PhUuLj9sxGpzVdfIHl87/ q0iA== MIME-Version: 1.0 Received: by 10.204.152.137 with SMTP id g9mr5268713bkw.95.1335754043123; Sun, 29 Apr 2012 19:47:23 -0700 (PDT) Received: by 10.204.179.65 with HTTP; Sun, 29 Apr 2012 19:47:23 -0700 (PDT) In-Reply-To: References: Date: Sun, 29 Apr 2012 22:47:23 -0400 Message-ID: From: Zaphod Beeblebrox To: Michael MacLeod Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org Subject: Re: Full Cone NAT In PF X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2012 02:47:25 -0000 On Sun, Apr 29, 2012 at 8:03 PM, Michael MacLeod wrote: > Every once and a while I run into an issue wherein the symmetric NAT of pf > causes me grief. I've found some older mailing list entries asking about PF > and Cone or Full Cone NAT (such as this one from 2005: > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but I > haven't seen anything new in a while. > > Almost all discussion I can find suggests to use static-port on the NAT > rule entry, but this doesn't seem to be entirely the same thing. Adding > static-port will prevent PF from randomizing the source port used for > outbound TCP and UDP traffic, but I don't see any mention of it enabling > actual Cone behaviour with regards to inbound traffic destined for the > now-not-random port. It appears that a NAT table entry, even with the > static-port option, will still not accept an inbound packet from external > IP B when the NAT rule was originally created for external IP A, which I > gather is the main thrust of cone NAT. > > I understand that cone NAT is a generally terrible and insecure way to do > NAT, but game and application developers seem hell-bent on depending on > cone NAT behaviour. Is there a way to make it work with PF? You might want this because some of your internal machines play video games. The unfortunate thing is that some video games are "somewhat" smart about getting around NAT and others are exceedingly dumb. In the end, what you do will depend on what resources you have. I found that: nat on $ext_if inet from $int_net to any -> ($ext_if) static-port is best paired by: rdr on $ext_if inet from any to $ext_ip -> $workstation_ip now... this works well for one gaming workstation. Also be clear that the outside world is free to attack it. You might want to put in a bunch of rules to protect it's SMB and whatnot ports. With just the 'nat' rule as above, CoD will call your NAT "strict" (in red). With both rules, CoD will call your NAT "moderate" in grey. With just the first rule and borderlands, you'll be able to join but not host games. With both rules, you'll be able to host games. I don't see an easy way to open only ports that are active with other traffic on pf.