Hi all I'm trying to connect several ossec agents to an ossec server over the internet and without vpn tunnels. This means, IPs get transformed because of NAT. This is not a problem for agent-to-server communication, since I can register each agent with source ip "any" and all packets go to the same server. However, it seems that the server tries to respond to some of the udp packets.
Here an example on what I see with tcpdump on the firewall at the ossec server site: 15:54:57.839960 IP [PUBLIC-IP-CLIENT-SITE].50497 > [PUBLIC-IP-SERVER-SITE].1514: UDP, length 158 15:54:57.841374 IP [PUBLIC-IP-SERVER-SITE].1514 > [PUBLIC-IP-CLIENT-SITE].50497: UDP, length 73 And that of course doesn't work since the firewall on the client side has no existing sessions (since protocol is UDP) and even if I allow all traffic from ossec server to any client, the firewall wouldn't know how to translate the public IP back to the private since there is no corresponding session. The obvious solution would be to use TCP but as I read in this mailing list, you cannot use TCP for agent-to-server communication. Another solution would be VPN, since I could work without NAT then. But for me this is not a solution, since some clients are labtops and change their locations and I also don't want to install a vpn client on labtops since I have to keep a very small footprint on the clients. I don't think this is a very special setup and I hope somebody has found a solution to this? Thanks in advance! Andreas -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.