pf rdr problems?

To: tech-net%netbsd.org@localhost
Subject: pf rdr problems?
From: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Date: Sat, 10 Aug 2013 22:08:18 +0200

Hello,

   To make a long story short; I had some really weird network problems
which seemed to be related to ipfilter (or my configuration of it). I
switched to pf (which solved all the issues I had in my previous
configuration), and in the process got access to miniupnpd (as it no
longer works with ipfilter).

   A friend and I wanted to do some co-op gaming on the PS3, so I set up
miniupnpd, and we started the game and it all worked fine.

   A few days later we were going to continue playing the game, but this
time I couldn't get the games connected. I took a look in the pflog and
saw that it was blocking a bunch of UDP packets on port 3659. I
explicitly opened up that port on my external interface, and then it worked.

   Wind forward a few days, and we wanted to pick up where we had left
off, but again, couldn't get the game to connect. The UDP packets were
being blocked. I checked that the nat rule was there:

   $ pfctl -a miniupnpd -s nat
   rdr pass quick on wm0 inet proto udp from any to any port =
apple-sasl keep state label "EA Tunnel" rtable 0 -> 192.168.124.17 port 3659

   ...and the explicit filtering:
   $ pfctl -sr
   [---]
   pass in quick on wm0 inet proto udp from any to (wm0) port =
apple-sasl keep state
   [---]

   (apple-sasl = 3659)

   Somewhere along the line I realized that the rule that miniupnpd
added had the magic keyword "pass", which roughly sounded like "don't
filter". And pf.conf(8) confirms this.

   In an act of "ok, then let's see what happens if .." I tried to "pass
all" in the beginning of my pf.conf filter section, and sure enough the
packets were no longer blocked, but for some reason the games couldn't
connect despite this. I should note that when the packets are being
blocked, I can see 30-40 UDP packets being blocked on the external
interface, while when I allowed all packets to pass, I only got two
(which makes it seem to me like the rdr rule is working -- the PS3
received the packets, and sent some kind of reply).

   I also tried to disable miniupnpd, flush its nat entries, reenabled
my regular packet filtering rules and then added the rdr-entry manually
in pf.conf, but the packet was still being blocked (despite the rdr
having "pass").

   Are there any special caveats I should know about which could explain
these problems? What confuses me the most is the apparent "randomness"
in behavior; things which worked previously suddenly don't, and packets
being blocked despite "rdr pass ...".

-- 
Kind regards,
Jan Danielsson

Prev by Date: Re: BPF_MISC+BPF_COP and BPF_COPX
Next by Date: Re: BPF_MISC+BPF_COP and BPF_COPX
Previous by Thread: !!WEBMAIL UPGRADE ADMINISTRATOR TERM!!
Next by Thread: Network stress testing tools
Indexes:

Home | Main Index | Thread Index | Old Index