PF And Cone NAT
Michael MacLeod
mikemacleod at gmail.com
Tue Apr 3 19:24:20 UTC 2012
Ladies and Gentlemen,
Every once and a while I run into an issue wherein the symmetric NAT of pf
causes me grief. I've found some older mailing list entries asking about PF
and Cone or Full Cone NAT (such as this one from 2005:
http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but I
haven't seen anything new in a while.
Almost all discussion I can find suggests to use static-port on the NAT
rule entry, but this doesn't seem to be entirely the same thing. Adding
static-port will prevent PF from randomizing the source port used for
outbound TCP and UDP traffic, but I don't see any mention of it enabling
actual Cone behaviour with regards to inbound traffic destined for the
now-not-random port. It appears that a NAT table entry, even with the
static-port option, will still not accept an inbound packet
from external IP B when the NAT rule was originally created for external IP
A, which I gather is the main thrust of cone NAT.
I understand that cone NAT is a generally terrible and insecure way to do
NAT, but game and application developers seem hell-bent on depending on
cone NAT behaviour. Is there a way to make it work with PF?
Regards,
Mike
More information about the freebsd-pf
mailing list