Custom UDP port settings in pf: Skype - BSD

This is a discussion on Custom UDP port settings in pf: Skype - BSD ; I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it up on a 386 edge box this month. One bit I have to sort out is seeing if I can tune pf to work a little ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Custom UDP port settings in pf: Skype

  1. Custom UDP port settings in pf: Skype

    I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it up
    on a 386 edge box this month. One bit I have to sort out is seeing if I
    can tune pf to work a little nicer with services like Skype.

    Specifically, Skype likes the following:

    1. Outgoing TCP connections should be allowed to remote ports 1024 and
    higher.

    2. Outgoing TCP connections should be allowed to remote ports 80 and 443.

    3. Outgoing UDP packets should be allowed to remote ports 1024 and
    higher. For UDP to be useful to Skype, the NAT must allow for replies to
    be returned to sent UDP datagrams. (The state of UDP "connections" must
    be kept for at least 30 seconds, and Skype recommends that these
    translations be maintained for as long as an hour, if possible.)

    4. The NAT translation should provide consistent translation, meaning
    that outgoing address translation is usually the same for consecutive
    outgoing UDP packets.

    Now, (1) and (2) I got covered. I have a default deny in, but a default
    allow out policy (small internal net I can mostly trust.) It seems that
    I have some work to do with (3) and (4). Note that things will still
    work, as Skype will fall-back to TCP if it cannot use UDP efficiently.
    I just want to let the app use the more efficient protocol, if I can.

    As far as (3) is concerned, I understand that I can keep state on UDP,
    and there is an option to control how long this state is maintained.
    Something like "set timeout interval 3600", though I'm unclear on what
    the effect of increasing this 360x beyond the default of 10 seconds will
    be. Since they state 60 seconds as a good minimum I expect I'll try
    some value between that and 300.

    (4) is giving me some pause. The docs say, "for UDP communications to
    work properly for Skype through NAT, the translation rules for UDP
    packets must be consistently handled, meaning that UDP packets set [sic]
    from one external network address and port number must be consistently
    translated to an internal network address and port number without
    varying either the network address or port number."

    I _think_ this will be (at least partially) covered by the use of the
    "static-port" keyword in the appropriate nat line. The IP addresses
    should be fine, since I only have one outside address and the Skype
    client will be running on one internal host at a time. Does this sound
    right? Has anyone else tweaked pf to work with Skype or other streaming
    datagram over UDP net apps?

    Thanks.

    -- cm

  2. Re: Custom UDP port settings in pf: Skype

    clvrmnky writes:

    > I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it
    > up on a 386 edge box this month. One bit I have to sort out is seeing
    > if I can tune pf to work a little nicer with services like Skype.


    Are you having more trouble getting Skype to work than other network
    apps? In my experience Skype is rather flexible with respect to how it
    communicates with other Skype nodes. The list of requirements is more
    like "at least one of" than a full list of demands. FWIW, I've
    successfully run Skype from a net where essentially only 2) is true
    (essentially the basic gateway config from http://www.bgnett.no/~peter/pf/).

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

  3. Re: Custom UDP port settings in pf: Skype

    On 02/11/2005 3:25 AM, Peter N. M. Hansteen wrote:
    > clvrmnky writes:
    >
    >> I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it
    >> up on a 386 edge box this month. One bit I have to sort out is seeing
    >> if I can tune pf to work a little nicer with services like Skype.

    >
    > Are you having more trouble getting Skype to work than other network
    > apps? In my experience Skype is rather flexible with respect to how it
    > communicates with other Skype nodes. The list of requirements is more
    > like "at least one of" than a full list of demands. FWIW, I've
    > successfully run Skype from a net where essentially only 2) is true
    > (essentially the basic gateway config from http://www.bgnett.no/~peter/pf/).
    >

    I'm pretty sure I answered this one in my original posting.

    This issue isn't about getting Skype to work. This issue is seeing if I
    can help it work more efficiently, just because I can.

    So, this is partly about Skype and partly about pf.

+ Reply to Thread