On Tue, Oct 15, 2002 at 01:54:00PM -0400, William Culler wrote: > I have noticed that when I use some p2p file sharing programs, Kazaa > more specifically, that some udp traffic is able to slip back through my > OpenBSD box running nat/pf. I was curious if this is because I use a > "pass out on $Ext proto udp all keep state" rule, and traffic initiated > by me is allowed to return, or is there is some other reason? I don't > allow any incoming traffic other than ssh. Thanks for any info.
Yes, the 'keep state' option in that rules allows replies to your outgoing UDP packets. UDP is connectionless by nature, pf associates all packets with the same source/destination addresses/ports with a UDP 'connection'. So if you allow the p2p client to send out, say with source 10.1.2.3 port 3000 to 123.123.123.123 port 4000, 123.123.123.123 can reply with source port 4000 to 10.1.2.3 port 3000. Much in the same way as DNS queries and replies pass through a UDP state. If you want to block replies, remove the 'keep state' option, then only your outgoing packets will pass. But I suspect that will break the connectivity of the p2p client :) Daniel
