Contributed by jose on from the dynamic-port-assignment dept.
Anyone with some PF skills want to suggest a recipe?
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the dynamic-port-assignment dept.
Anyone with some PF skills want to suggest a recipe?
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Chris Cappuccio () chris@nmedia.net on mailto:chris@nmedia.net
Comments
By knowfear () acordm@msoe.edu on mailto:acordm@msoe.edu
so, no state is open yet for udp, and the server starts sending udp messages which the firewall stops.
Understand better?
By Will () on
I did that on my previous OpenBSD firewall, and also on my current non-OpenBSD firewall. ( A cheap adaptec firewall in a box.)
When watching the BBC news on Real player the picture is MUCH better and smoother.
The drawback is that you need to open a pair of ports for each PC that wants to view UDP streams, and each IP used needs to have a couple of ports assigned to it.
A bit of a kludge but it worked for me.
Will
Comments
By knowfear () acordm@msoe.edu on mailto:acordm@msoe.edu
By Joe Klein () klein@joe.com on http://www.joe.com
Other than that, add "keep state" to your UDP traffic and you should be in Media Player and Quicktime heaven. Don't know about Real because those guys suck:
1. they try and take over your computer
2. they port scan your computer all the time!
By Z-Blocker () on
Well I never saw this problem before.
I think you should give some more info about this.
Do you want to stream yourself or just receive streams?
In both situations it was succesful on my site.
Z
By knowfear () acordm@msoe.edu on mailto:acordm@msoe.edu
When I am streaming video/audio over the internet it is usually not very smooth. There are breaks/stops in the feed. I believe the breaks are due to the extra overhead associated with TCP. Streaming media was meant for quick UDP traffic, however streaming protocols are NOT firewall friendly. They are designed similar to FTP where there is an initial port connected on, then the client requests data be sent onto another port (in this case, the UDP feed, in FTP the data feed). As you are aware, simply using stating for FTP does not allow you to do active ftp because of this case. The same happens with these streaming media programs, simply using state on UDP does not allow them to work as they should.
Will suggested one solution I have read about, which is mapping incoming UDP ports to a specific machine, then setting up those machines to request their specific ports. Besides being a pain to setup/maintain, this kind of defeats some of the purpose of the firewall (IMO). I am looking for a cleaner/safer way to do this.
Any help/resources would be appreciated!
Comments
By Oliver Neubauer () on
If you want to do things the way you describe in your last paragraph then authpf is a very handy way of dynamically changing firewall rules in a fairly secure way, and only when you need them.
Hope this helps
o
Comments
By knowfear () acordm@msoe.edu on mailto:acordm@msoe.edu
Comments
By Oliver Neubauer () on
Like I said, it's not pretty, but it's better that static rules that leave the ports open all the time and always redirecting to a single IP.
You mentioned looking into proxies....does dante not do what you want? (I honestly don't know, having never looked into it)
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
This is precisely why there is ftp-proxy(8). Perhaps someone should quit whining and start coding a streaming-proxy(8)?
Application-layer weirdness has no place inside the kernel. ;-)
Comments
By Bart Schipper () obsd@smartbart.com on mailto:obsd@smartbart.com
It contains a proyx server as well and should build on FreeBSD, Linux, Windows, Mac OS X and Solaris. A port should not be that difficult.
Good luck!
By Michael van der Westhuizen () on
Agreed.
By Olivier () om_deadlydotorg-039b@olden.ch on mailto:om_deadlydotorg-039b@olden.ch
I had some success with Dante, a SOCKS proxy server. Works fine with Quicktime and I suspect, any other SOCKS-aware software... ie, not RealPlayer 8 nor most (all?) of the M$ stuff.
sockd isn't trivial to configure though, the doc is worth a look.
For RealPrayer, I used the same workaround as Will suggested (ie forward 2+ UDP ports). Cumbersome but it does the job.
(and I confirm, streaming over UDP works muuuch better than anything relying on TCP)
I ran into some problems using both mechanisms simultaneously when the SOCKS server managed to claim and assign the ports I was statically forwarding. YMMV...