we have a three-legged firewall (internal, external, dmz) which seems to block/somehow kill RTSP connections (or, more correctly, the RTP part of an RTSP connection) from the internal network to the outer world.
I have searched Google, this lists archives and the FAQs of real.com and Apple's Quicktime pages without getting any wiser, so I thought I would hear the list's opinion.
Many sites talk about the need for a proxy, but at the same state that if port 554 (TCP) and the range 6990-7170 (UDP) (or some similar port range) are all open, the clients should just work.
I have not been able to get a simple description of RTSP/RTP, but it is my understanding that all connections initiate with the client, and that there is no issue with server-initiated connections as there is with ftp. Am I missing something here? (wrong place, to ask, I know)
My question is therefore whether there is some specific issue with pf's NAT implementation or if there is some blatant problem with the following (admittedly amateurish) configuration:
# pf.conf:
# Network interfaces EXT_IF = "fxp0" INT_IF = "dc0" DMZ_IF = "dc1"
# Networks EXT = "192.168.1.0/24" INT = "192.168.0.0/24" DMZ = "192.168.2.0/24"
# Firewall's address on external network FW = "192.168.1.111"
# IP addresses for servers in the DMZ WEB_DMZ = "192.168.2.52" MAIL_DMZ = "192.168.2.52" GUEST_DMZ = "192.168.2.53"
# External addresses for servers kept in the DMZ WEB_EXT = "192.168.1.52/32" MAIL_EXT = "192.168.1.52/32" GUEST_EXT = "192.168.1.53/32"
# Non-routeable addresses
RESERVED = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8}"
########################################################################### # # NAT #
nat on $EXT_IF from ! $EXT_IF to any -> $FW
########################################################################### # # REDIRECT #
rdr on $EXT_IF proto tcp from any to $WEB_EXT port www -> $WEB_DMZ port www
rdr on $EXT_IF proto tcp from any to $MAIL_EXT port smtp -> $MAIL_DMZ port smtp
rdr on $EXT_IF proto tcp from any to $MAIL_EXT port 110 -> $MAIL_DMZ port 110
rdr on $EXT_IF proto tcp from any to $GUEST_EXT port www -> $GUEST_DMZ port www
########################################################################### # # FIREWALL #
block in log all block out all
########################################################################### # # Local loopback #
pass in quick on lo0 all pass out quick on lo0 all
########################################################################### # # Internal network #
pass in on $INT_IF from $INT to any keep state
########################################################################### # # DMZ #
pass in on $DMZ_IF from any to any keep state pass out on $DMZ_IF from any to any keep state
########################################################################### # # External network #
pass in on $EXT_IF inet proto tcp from any to $WEB_DMZ port www keep state pass in on $EXT_IF inet proto tcp from any to $GUEST_DMZ port www keep state pass in on $EXT_IF inet proto tcp from any to $MAIL_DMZ port smtp keep state pass in on $EXT_IF inet proto tcp from any to $MAIL_DMZ port 110 keep state pass out on $EXT_IF from any to any keep state
# End of listing.
Any ideas or pointers would be appreciated. If we need a proxy, does anyone have any experience with the configuration of pf?
Thanks in advance,
Morten
-----------------------------------------------------------------------
Morten Norby Larsen [EMAIL PROTECTED]
Magister Ludi s.r.l. Phone: +39 02 26 11 72 80
Via Battaglia 8, I-20127 Milano, Italy Fax: +39 02 28 46 037
http://www.magisterludi.com