Forgot to send to the list, twice!
If it's RTP, (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
which some quick Googling indicates, your best bet may be to make a table
of sending hosts with a pass ... inet proto udp ... from <table> to ? port
>1024 rule.
<quote who="Hugo Osvaldo Barrera">
> On Thu, Apr 8, 2010 at 00:54, James Shupe <professio...@jamesshupe.com>
> wrote:
>> Use "log (all)" and tcpdump to figure out exactly what is being blocked.
>>
>> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>>> server (with pf).
>>> I've recently had some issues trying to use pidgin's [XMPP] video
>>> support on one of my client computers, yet, if I connect it directly
>>> to the internet it works fine; hence the problem is the firewall
>>> configuration (as one of the pidgin devs pointed out it might have
>>> been).
>>> I THINK UDP packets are being dropped, but I must really say, this
>>> problem is a bit above my level of understanding.
>>>
>>> I need to know how to make sure UDP packets don't get dropped on the
>>> way to my PC, but i'm not really sure how.
>>>
>>> I think a simple "pass in proto udp" is a bit extremist (though it
>>> would
> work).
>>> Any better suggestions?
>>>
>>> My current pf.conf file is:
>>>
>>> -----
>>> # $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>>> #
>>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>>> # require-order to permit mixing of NAT/RDR and filter rules.
>>> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
>>> # in /etc/sysctl.conf if packets are to be forwarded between
>>> interfaces.
>>>
>>> # Skip lo
>>> set skip on lo
>>>
>>> #############
>>> # Variables #
>>> #############
>>> extif = "re0"
>>> intif = "ral0"
>>> chaos = "172.16.1.7"
>>> mamaquina = "172.16.1.12"
>>>
>>> tcp_services="{ 22, 113, 80, 443 }"
>>>
>>> icmp_types = "echoreq"
>>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
>>> privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>>
>>> table <intnet> { 172.16.0.1/16 }
>>>
>>> # Options
>>> set loginterface $extif
>>> match in all scrub (no-df)
>>>
>>> #######
>>> # NAT #
>>> #######
>>> nat on $extif from $intif:network -> ($extif)
>>> # TODO Maybe move this down to service ports? Check first.
>>> rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos
>>> port
> 22
>>>
>>> block in
>>> pass out keep state
>>>
>>> antispoof quick for { lo $intif }
>>>
>>> block drop in on $extif from $privnets to any
>>> block drop in on $extif from any to $privnets
>>>
>>> #################
>>> # SERVICE PORTS #
>>> #################
>>>
>>> # Open ports for local servicesAbro puerto de servicios locales
>>> pass in on $extif inet proto tcp from any to ($extif) port
>>> $tcp_services flags S/SA keep state
>>>
>>> ### OTHER PORTS AND OPENINGS
>>> pass in on $extif from any to 172.16.1.7
>>> pass in on $extif from any to 172.16.2.4
>>>
>>> pass in on $extif proto {tcp, udp} from any to any port 53
>>>
>>> # ICMP Traffic
>>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>>
>>> # LAN - everything is allow in/out
>>> pass in quick on $intif
>>> pass out quick on $intif
>>>
>>>
>>> ### Block remote connections to the X Server
>>> block in on ! lo0 proto tcp to port 6000:6010
>>> -----
>>>
>>> Thanks for your time guys!
>>>
>>> --
>>> Hugo Osvaldo Barrera
>>>
>>>
>>>
>>
>>
>>
>
> As I had supposed; pf is blocking the UDP packages:
>
> Apr 08 01:31:58.241781 rule 1/(match) block in on re0:
> <the-other-IP>.59789 > <my-ip>.50688: udp 56
> Apr 08 01:31:58.363252 rule 1/(match) block in on re0:
> <the-other-IP>.59792 > <my-ip>.52166: udp 56
> Apr 08 01:31:58.363991 rule 1/(match) block in on re0:
> <the-other-IP>.59793 > <my-ip>.50688: udp 56
>
> There are several more dozen lines like this one.
> However, each one uses a different port, so how can I solve the
> problem? I don't even see a predicting which ports I'd need to open
> (they ARE random).
>
>
>
>
--
Thank you,
James M. Shupe
GPG: 9C5C4417
