From owner-freebsd-net@FreeBSD.ORG  Mon Apr 30 05:45:57 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AAE6E106566B
	for <freebsd-net@freebsd.org>; Mon, 30 Apr 2012 05:45:57 +0000 (UTC)
	(envelope-from darren.pilgrim@gmail.com)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 79EF18FC08
	for <freebsd-net@freebsd.org>; Mon, 30 Apr 2012 05:45:57 +0000 (UTC)
Received: by pbbro2 with SMTP id ro2so1912267pbb.13
	for <freebsd-net@freebsd.org>; Sun, 29 Apr 2012 22:45:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=8k9bY1g5sVyEOSFnBpSKYuWnrmu67dvI8zZ0NMRcSa4=;
	b=hF4H7h1l1IrkODezqmkRwDBWZY6SJeJJHrb3Z2cLf7PoPHiuAi8WjmpCwm+Jg1SlHR
	a1L+lPoFdaXNWDDmWsKaCJPL26Gn8gZ+ajVHHWaY9gqH8GXkVwQnnDjIdyb/1+rZjbBE
	Mab0KbxI+FVnIW9X3MzxXw3pfB4JWM/MDZfrJ+vBxOSk34+dIuEFMlXhH6E0XbvEBT/t
	SIGQtWEv6qfmdJSvaNcDuTE4IvFFy685TxdFc3nzj3YDd0Lyomke+gt/7DP+vrJMlv7/
	an5AGCZWGyBz+U5f4ALDFYGe/tjTg/yuWFc5kmGENHVzF+D6SQObiolTcDnuDo2Fwz0q
	4tDQ==
Received: by 10.68.230.131 with SMTP id sy3mr7865629pbc.17.1335764756950;
	Sun, 29 Apr 2012 22:45:56 -0700 (PDT)
Received: from [127.0.0.1] (c-71-236-141-77.hsd1.wa.comcast.net.
	[71.236.141.77])
	by mx.google.com with ESMTPS id i5sm15004512pbf.19.2012.04.29.22.45.53
	(version=TLSv1/SSLv3 cipher=OTHER);
	Sun, 29 Apr 2012 22:45:55 -0700 (PDT)
Message-ID: <4F9E270F.3070605@gmail.com>
Date: Sun, 29 Apr 2012 22:45:51 -0700
From: Darren Pilgrim <darren.pilgrim@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:10.0.3) Gecko/20120306 Thunderbird/10.0.3
MIME-Version: 1.0
To: Michael MacLeod <mikemacleod@gmail.com>
References: <CAM-FeoFie0aZJXu0+iCo=_myjz1QH89G1WSBDmp8PUZ2NYQkHg@mail.gmail.com>
In-Reply-To: <CAM-FeoFie0aZJXu0+iCo=_myjz1QH89G1WSBDmp8PUZ2NYQkHg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: Full Cone NAT In PF
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2012 05:45:57 -0000

On 2012-04-29 17:03, Michael MacLeod wrote:
> I understand that cone NAT is a generally terrible and insecure way to do
> NAT, but game and application developers seem hell-bent on depending on
> cone NAT behaviour. Is there a way to make it work with PF?

Not directly, no.  In most cases where the application/device will not 
work through symmetric NAT, all that is necessary is a port forward, not 
true full-cone NAT.

Have a look at the net/miniupnpd port.  It is a UPnP daemon that anchors 
to pf and maintains rdr rules for dynamic port forwarding.  You can do 
the same thing on a static basis by maintaining your own nat static-port 
and rdr rules if your SIP devices do not support UPnP.

For those who search mail archives, this is also how you get a FreeBSD 
router to make your PS3 show NAT type 2 instead of type 3 or your Xbox 
show NAT type open instead of strict or moderate.