SEO

I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it up
on a 386 edge box this month. One bit I have to sort out is seeing if I
can tune pf to work a little nicer with services like Skype.

Specifically, Skype likes the following:

1. Outgoing TCP connections should be allowed to remote ports 1024 and
higher.

2. Outgoing TCP connections should be allowed to remote ports 80 and 443.

3. Outgoing UDP packets should be allowed to remote ports 1024 and
higher. For UDP to be useful to Skype, the NAT must allow for replies to
be returned to sent UDP datagrams. (The state of UDP "connections" must
be kept for at least 30 seconds, and Skype recommends that these
translations be maintained for as long as an hour, if possible.)

4. The NAT translation should provide consistent translation, meaning
that outgoing address translation is usually the same for consecutive
outgoing UDP packets.

Now, (1) and (2) I got covered. I have a default deny in, but a default
allow out policy (small internal net I can mostly trust.) It seems that
I have some work to do with (3) and (4). Note that things will still
work, as Skype will fall-back to TCP if it cannot use UDP efficiently.
I just want to let the app use the more efficient protocol, if I can.

As far as (3) is concerned, I understand that I can keep state on UDP,
and there is an option to control how long this state is maintained.
Something like "set timeout interval 3600", though I'm unclear on what
the effect of increasing this 360x beyond the default of 10 seconds will
be. Since they state 60 seconds as a good minimum I expect I'll try
some value between that and 300.

(4) is giving me some pause. The docs say, "for UDP communications to
work properly for Skype through NAT, the translation rules for UDP
packets must be consistently handled, meaning that UDP packets set [sic]
from one external network address and port number must be consistently
translated to an internal network address and port number without
varying either the network address or port number."

I _think_ this will be (at least partially) covered by the use of the
"static-port" keyword in the appropriate nat line. The IP addresses
should be fine, since I only have one outside address and the Skype
client will be running on one internal host at a time. Does this sound
right? Has anyone else tweaked pf to work with Skype or other streaming
datagram over UDP net apps?

Thanks.

-- cm

clvrmnky <clvrmnky-uunet@coldmail.com.invalid> writes:

> I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it
> up on a 386 edge box this month. One bit I have to sort out is seeing
> if I can tune pf to work a little nicer with services like Skype.

Are you having more trouble getting Skype to work than other network
apps? In my experience Skype is rather flexible with respect to how it
communicates with other Skype nodes. The list of requirements is more
like "at least one of" than a full list of demands. FWIW, I've
successfully run Skype from a net where essentially only 2) is true
(essentially the basic gateway config from http://www.bgnett.no/~peter/pf/).

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

On 02/11/2005 3:25 AM, Peter N. M. Hansteen wrote:
> clvrmnky <clvrmnky-uunet@coldmail.com.invalid> writes:
>
>> I'm about to get 3.8 (and a t-shirt!) shortly, and I'll be setting it
>> up on a 386 edge box this month. One bit I have to sort out is seeing
>> if I can tune pf to work a little nicer with services like Skype.
>
> Are you having more trouble getting Skype to work than other network
> apps? In my experience Skype is rather flexible with respect to how it
> communicates with other Skype nodes. The list of requirements is more
> like "at least one of" than a full list of demands. FWIW, I've
> successfully run Skype from a net where essentially only 2) is true
> (essentially the basic gateway config from http://www.bgnett.no/~peter/pf/).
>
I'm pretty sure I answered this one in my original posting.

This issue isn't about getting Skype to work. This issue is seeing if I
can help it work more efficiently, just because I can.

So, this is partly about Skype and partly about pf.