On Thu, Apr 8, 2010 at 10:21, James Shupe <professio...@jamesshupe.com> wrote: > Forgot to send to the list, twice! > > If it's RTP, (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol), > which some quick Googling indicates, your best bet may be to make a table > of sending hosts with a pass ... inet proto udp ... from <table> to ? port >>1024 rule. > > <quote who="Hugo Osvaldo Barrera"> >> On Thu, Apr 8, 2010 at 00:54, James Shupe <professio...@jamesshupe.com> >> wrote: >>> Use "log (all)" and tcpdump to figure out exactly what is being blocked. >>> >>> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote: >>>> I'm using OpenBSD 4.6 at home as an access point, firewall and home >>>> server (with pf). >>>> I've recently had some issues trying to use pidgin's [XMPP] video >>>> support on one of my client computers, yet, if I connect it directly >>>> to the internet it works fine; hence the problem is the firewall >>>> configuration (as one of the pidgin devs pointed out it might have >>>> been). >>>> I THINK UDP packets are being dropped, but I must really say, this >>>> problem is a bit above my level of understanding. >>>> >>>> I need to know how to make sure UDP packets don't get dropped on the >>>> way to my PC, but i'm not really sure how. >>>> >>>> I think a simple "pass in proto udp" is a bit extremist (though it >>>> would >> work). >>>> Any better suggestions? >>>> >>>> My current pf.conf file is: >>>> >>>> ----- >>>> # $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $ >>>> # >>>> # See pf.conf(5) for syntax and examples; this sample ruleset uses >>>> # require-order to permit mixing of NAT/RDR and filter rules. >>>> # Remember to set net.inet.ip.forwarding=1 and/or >> net.inet6.ip6.forwarding=1 >>>> # in /etc/sysctl.conf if packets are to be forwarded between >>>> interfaces. >>>> >>>> # Skip lo >>>> set skip on lo >>>> >>>> ############# >>>> # Variables # >>>> ############# >>>> extif = "re0" >>>> intif = "ral0" >>>> chaos = "172.16.1.7" >>>> mamaquina = "172.16.1.12" >>>> >>>> tcp_services="{ 22, 113, 80, 443 }" >>>> >>>> icmp_types = "echoreq" >>>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }" >>>> privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" >>>> >>>> table <intnet> { 172.16.0.1/16 } >>>> >>>> # Options >>>> set loginterface $extif >>>> match in all scrub (no-df) >>>> >>>> ####### >>>> # NAT # >>>> ####### >>>> nat on $extif from $intif:network -> ($extif) >>>> # TODO Maybe move this down to service ports? Check first. >>>> rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos >>>> port >> 22 >>>> >>>> block in >>>> pass out keep state >>>> >>>> antispoof quick for { lo $intif } >>>> >>>> block drop in on $extif from $privnets to any >>>> block drop in on $extif from any to $privnets >>>> >>>> ################# >>>> # SERVICE PORTS # >>>> ################# >>>> >>>> # Open ports for local servicesAbro puerto de servicios locales >>>> pass in on $extif inet proto tcp from any to ($extif) port >>>> $tcp_services flags S/SA keep state >>>> >>>> ### OTHER PORTS AND OPENINGS >>>> pass in on $extif from any to 172.16.1.7 >>>> pass in on $extif from any to 172.16.2.4 >>>> >>>> pass in on $extif proto {tcp, udp} from any to any port 53 >>>> >>>> # ICMP Traffic >>>> pass in inet proto icmp all icmp-type $icmp_types keep state >>>> >>>> # LAN - everything is allow in/out >>>> pass in quick on $intif >>>> pass out quick on $intif >>>> >>>> >>>> ### Block remote connections to the X Server >>>> block in on ! lo0 proto tcp to port 6000:6010 >>>> ----- >>>> >>>> Thanks for your time guys! >>>> >>>> -- >>>> Hugo Osvaldo Barrera >>>> >>>> >>>> >>> >>> >>> >> >> As I had supposed; pf is blocking the UDP packages: >> >> Apr 08 01:31:58.241781 rule 1/(match) block in on re0: >> <the-other-IP>.59789 > <my-ip>.50688: udp 56 >> Apr 08 01:31:58.363252 rule 1/(match) block in on re0: >> <the-other-IP>.59792 > <my-ip>.52166: udp 56 >> Apr 08 01:31:58.363991 rule 1/(match) block in on re0: >> <the-other-IP>.59793 > <my-ip>.50688: udp 56 >> >> There are several more dozen lines like this one. >> However, each one uses a different port, so how can I solve the >> problem? I don't even see a predicting which ports I'd need to open >> (they ARE random). >> >> >> >> > > > -- > Thank you, > James M. Shupe > GPG: 9C5C4417 > >
Effectively, it uses RTP. However, I'm not sure I don't quite understand your idea. How would the table be updated with which ports to redirect? Or do you mean it to be static with the port range currently in use? The port used seems to be random between 50000 and 60000 (something I have not found a reference to in anything liked to RTP). Redirecting them with a rule like "rdr pass on $extif proto udp from any to $extif port 50000:60000 -> $mypc" should work, but this does not seem like the proper solution. Or am I wrong? (= Isn't there a way to have this work so that, in future, MORE than one PC can use RTP? This isn't a MUST right now, but I would prefer to find some solution that would work in future. BTW James: Thank you very much, pointing out that XMPP's video-conference implementation uses RTP helped me google A LOT more info on the subject :)
