Date: Sun, 29 Apr 2012 22:47:23 -0400 From: Zaphod Beeblebrox <zbeeble@gmail.com> To: Michael MacLeod <mikemacleod@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Full Cone NAT In PF Message-ID: <CACpH0MddANqnT-GBbp=GnXcgKN_%2B8rePLpVNWXZz3%2BxPkvRHWQ@mail.gmail.com> In-Reply-To: <CAM-FeoFie0aZJXu0%2BiCo=_myjz1QH89G1WSBDmp8PUZ2NYQkHg@mail.gmail.com> References: <CAM-FeoFie0aZJXu0%2BiCo=_myjz1QH89G1WSBDmp8PUZ2NYQkHg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 29, 2012 at 8:03 PM, Michael MacLeod <mikemacleod@gmail.com> wrote: > Every once and a while I run into an issue wherein the symmetric NAT of pf > causes me grief. I've found some older mailing list entries asking about PF > and Cone or Full Cone NAT (such as this one from 2005: > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but I > haven't seen anything new in a while. > > Almost all discussion I can find suggests to use static-port on the NAT > rule entry, but this doesn't seem to be entirely the same thing. Adding > static-port will prevent PF from randomizing the source port used for > outbound TCP and UDP traffic, but I don't see any mention of it enabling > actual Cone behaviour with regards to inbound traffic destined for the > now-not-random port. It appears that a NAT table entry, even with the > static-port option, will still not accept an inbound packet from external > IP B when the NAT rule was originally created for external IP A, which I > gather is the main thrust of cone NAT. > > I understand that cone NAT is a generally terrible and insecure way to do > NAT, but game and application developers seem hell-bent on depending on > cone NAT behaviour. Is there a way to make it work with PF? You might want this because some of your internal machines play video games. The unfortunate thing is that some video games are "somewhat" smart about getting around NAT and others are exceedingly dumb. In the end, what you do will depend on what resources you have. I found that: nat on $ext_if inet from $int_net to any -> ($ext_if) static-port is best paired by: rdr on $ext_if inet from any to $ext_ip -> $workstation_ip now... this works well for one gaming workstation. Also be clear that the outside world is free to attack it. You might want to put in a bunch of rules to protect it's SMB and whatnot ports. With just the 'nat' rule as above, CoD will call your NAT "strict" (in red). With both rules, CoD will call your NAT "moderate" in grey. With just the first rule and borderlands, you'll be able to join but not host games. With both rules, you'll be able to host games. I don't see an easy way to open only ports that are active with other traffic on pf.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACpH0MddANqnT-GBbp=GnXcgKN_%2B8rePLpVNWXZz3%2BxPkvRHWQ>