Multicast over NAT
Jany
sebosik at demax.sk
Tue Nov 15 14:35:06 PST 2005
Hello
in our network it is possible to watch TV and to hear radio over net
(they are multicasted). I`ve got simple NAT on my FreeBSD 6 (pf.conf) box:
## PF config for my test box
#
## macros
ext_if = "fxp0"
int_if = "ex0"
## tables
table <lan_net> const { 192.168.1.0/24 }
## packet normalization
scrub in all
## NAT
nat on $ext_if from $int_if:network to any -> $ext_if
# FTP workaround
rdr pass on $int_if proto tcp from any to !($ext_if) port 21 ->
127.0.0.1 port 8021
# DC++ redir -port 19670
rdr pass on $ext_if proto {tcp,udp} from any to 195.62.17.204 port 19670 \
-> 192.168.1.2
# torrent to local LAN on port 41800:41810
rdr pass on $ext_if proto {tcp,udp} from any to $ext_if port 41800:41810 \
-> 192.168.1.2 port 41800:*
## packet filtering
#######################################################################
## default blocking policy
block in log on $ext_if all
## antispoof-ing :)
antispoof quick for $int_if inet
## lo0 all traffic passing
pass on lo0 all
## allowing traffic to the LAN
pass on $int_if from any to any flags S/SA keep state
## allow traffic to remote hosts from $ext_if
pass out on $ext_if proto {tcp, udp} from $ext_if to any flags S/SA
modulate state
pass in log on $ext_if proto {tcp, udp} from any to $ext_if port {123, 53}\
keep state flags S/SA
## allow DNS resolving from local to 195.62.17.204
pass out on $int_if proto {tcp, udp} from $int_if:network to $int_if \
port 53 flags S/SA keep state
pass out on lo0 proto {tcp, udp} from $ext_if to $ext_if port 53 keep state
## allowing ICMP from internet, 8-echo 0-echoreply 3-destination
unreachable
pass inet proto { icmp } icmp-type { 0, 3, 8 } keep state
## allowing torrent traffic
pass in on $ext_if proto {tcp,udp} from any to 195.62.17.204 port \
{ 6880 >< 6890, 40800 >< 40810, 41800 >< 41810 } flags S/SA keep state
## allow DC++ traffic
pass in on $ext_if proto { tcp, udp } from any to 195.62.17.204 port
19670 flags S/SA keep state
## allow accessing FTP server from internet
pass in log on $ext_if proto { tcp, udp } from any to 195.62.17.204 port
21 \
flags S/SA keep state
pass in log on $ext_if proto { tcp, udp } from any to 195.62.17.204 port
>= 49152 \
flags S/SA keep state
## FTP from local net
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
I found that I need to allow packets with allow-opts (IGMP) - which I
also tried, but it doesn`t help... If i trie to fetch playlist in VLC
via SAP announces, it sends some IGMP packets to $int_if, but they won`t
pass out on $ext_if. Is it possible to config Packet Filter to support
multicast traffic.
More information about the freebsd-pf
mailing list