From owner-freebsd-questions@FreeBSD.ORG Wed Sep 29 12:45:40 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7EC916A4CE for ; Wed, 29 Sep 2004 12:45:40 +0000 (GMT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6153043D2D for ; Wed, 29 Sep 2004 12:45:40 +0000 (GMT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])i8TCjcgh058311 for ; Wed, 29 Sep 2004 13:45:38 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from speyburn.isltd.insignia.com (speyburn [172.16.64.16]) i8TCjcgF097985 for ; Wed, 29 Sep 2004 13:45:38 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-questions@freebsd.org Date: Wed, 29 Sep 2004 13:45:40 +0100 Organization: Insignia Solutions Message-ID: <30bll0dfbc3nhd9h7enu0vhil6odofkb16@4ax.com> X-Mailer: Forte Agent 2.0/32.640 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.44 Subject: ipnat and "udp consistent translation" (Skype related) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Sep 2004 12:45:41 -0000 Using Skype on a machine behind a FreeBSD 4.x firewall using ipf/ipnat, if I try a file transfer I get "your connection is relayed" which suggests that there are problems using "UDP hole punching" to get a direct connection. The Skype help page sends you to: http://bgp.lcs.mit.edu/~dga/view.cgi where ipnat gets a "no" in the "udp consistent translation" column. I also ran the "natcheck" utility from here: http://midcom-p2p.sourceforge.net/ on the firewall box itself (ie no NAT) I get: >Request 20 of 20... > >TCP RESULTS: >TCP consistent translation: YES (GOOD for peer-to-peer) >TCP simultaneous open: YES (GOOD for peer-to-peer) >TCP loopback translation: YES (GOOD for peer-to-peer) >TCP unsolicited connections filtered: YES (GOOD for security) > >UDP RESULTS: >UDP consistent translation: YES (GOOD for peer-to-peer) >UDP loopback translation: YES (GOOD for peer-to-peer) >UDP unsolicited messages filtered: YES (GOOD for security) but on a machine inside I get: >Request 4 of 20... >Request 5 of 20... >checkloopback connect: Invalid argument which doesn't look good. Googling didn't find anything so I was wondering if anyone else had experienced this and if so what their resolution was. It would be a shame to have to switch to a different firewall when ipf/ipnat is so easy to use and works so well for everything else, but at the same time I don't like the idea of someone else having to relay the Skype traffic unnecessarily. jim