Carrier-grade NAT (IOW NAT done on a router at the ISP), e.g. used with ds-lite. It's getting more and more common as ISPs don't have enough IPv4 addresses any more to assign one to each and every connecting customer.What is CGNAT?
Actually no. SIP is what is used for VoIP and the fact that it has problems with NAT is because it was never designed to work through NAT in the first place. SIP exchanges IP address information within the protocol and that is obviously a problem if this IP address is from a private IP address block. That does not implicate that there is anything wrong with NAT that needs to be fixed, also solutions to this particular problem (SBCs, B2BUAs, ALGs, SIP/RTP proxies) have been available in a wide variety for quite some time now.I consider "to demonstrate a use case for the patch" as lower priority, because simply throwing in the terms VoIP, SIP, WebRTC triggers enough attention?
Actually it's the other way around as stated in pf.conf(5):IIUC the manpage pf.conf(5) is unambiguous here: "A stateful connection is automatically created [...] as long as [the packets] are not blocked by the filtering section of pf.conf." I.e., the blocking filtering rules overrule NAT's packet translation. Again, we could/should create an external test (or set of tests) to ensure this? EDIT Yes, and additionally this could go into an code-internal assertion. My understanding is that the filters are applied 1st, then the NAT rules, then maybe additional filter rules? Are there such? In ipfw(4), the rules are numbered. How is the ordering handled in pf(4)? Or does the admin have to use netgraph(4) to apply stacking of rules?
Since translation occurs before filtering the filter engine will see
packets as they look after any addresses and ports have been translated.
Filter rules will therefore have to filter based on the translated
address and port number. Packets that match a translation rule are only
automatically passed if the pass modifier is given, otherwise they are
still subject to block and pass rules.
Talking about the behavioural characteristics of the so called 'full cone NAT' you will probably find the same information in many places on the internet including here, and the key aspect that just doesn't fly with me is:The question is: Look at the scenario that a packet arrives from a so far unknown remote host on a port that HAS a mapping. Does the patch do the sane thing here, rewrite this packet, but still evaluate the rules (cause with the unknown remote host, it doesn't really match a state entry)? If yes, it would still be blocked if you have e.g. a "block all" rule, but would be routed and rewritten correctly if no filter rule blocks it.
Sure, this is one thing you must review when reviewing the patch. It should NOT introduce a hole in the stateful filtering mechanisms, and I'd say if it does, it is broken.
This is what RFC4787 terms as an enpoint independent filtering. While this will certainly help applications that rely on broken-by-design techniques such as STUN/TURN/ICE to function, from a security standpoint such behaviour is just not tolerable.Any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort.
The whole problem with this discussion is that filtering is an unwanted necessity for NAT, but intended behavior for firewalling. If these aspects aren't clearly separated then yes, you might open up unwanted security holes.This is what RFC4787 terms as an enpoint independent filtering. While this will certainly help applications that rely on broken-by-design techniques such as STUN/TURN/ICE to function, from a security standpoint such behaviour is just not tolerable.
nat on $ext_if from $internal_net to any -> ($ext_if)
block in on $ext_if
pass out on $ext_if
Stateful filtering is trivially defeated when you have a coordinator like a STUN server in the middle. Since UDP is not really stateful, all the endpoints have to do is start sending packets to each other to establish a "state". Sure there'll be a little packet loss at the beginning, but it's easy to deal with that.This is what RFC4787 terms as an enpoint independent filtering. While this will certainly help applications that rely on broken-by-design techniques such as STUN/TURN/ICE to function, from a security standpoint such behaviour is just not tolerable.
This is IMHO still the wrong conclusion, but it depends on your definition of "better". The standard in question aims to improve NAT (and *only* NAT). This is of course desirable. When there is a risk attached, it's for implementation reasons (when the same code is used for stateful filtering in general).This seems to be a good example where it is probably the better alternative not to blindly follow the standard.
Done. 1st activity of my Phabricator account. Let's see what else I can do. If only I could manage to waste less time hanging aroung here in the forum... Please stop posting interesting topics that distract my attention!Maybe it could be a good idea to add a comment to the PR, linking to this thread for detailed reasoning about this patch not being added, so this discussion doesn't unnecessarily repeat.
First my impression was: why is that RFC not integrated, even though it would be beneficial for VoIP and much more.Done. 1st activity of my Phabricator account.
Just to make this as clear as possible: This patch "done right"*) wouldn't have ANY implications on "unsuspecting users" except for those that ONLY have a "nat" rule and somehow expect that to do "firewalling". You won't find such a configuration anywhere, even the handbook adds the most basic firewalling rules in its examples, so someone having ONLY nat in his config should probably know what he does.Learning what this unsolicited patch does, what implications it has on the unsuspecting user who doesn't know deep technical detail, which damage potential it has, and the difficulty to test that thoroughly.
I'm gonna butt in here real fast to try making a convincing argument for this.Strong disagree here. The first thing to accomplish with any patch is to convince people that what it tries to do makes things better. Once that's established we can argue about how to get there.
Throwing around terms doesn't accomplish that at all, unless you mean to claim that VoIP/SIP/WebRTC currently don't work (they do...).
IMHO, the actual "fault" is NATNow, this is, as far as I know, *mostly* an issue with games, and yes, games should be able to just do UPnP requests to set up holes, and many of them don't, and that's kind of the fault of games.
sockstat -l6n
would be empty on that box, it's because my firewall rejects any TCP/UDP connection attempt from the internet to any box in the LAN. There's no reason at all why some consumer plastic router couldn't do the same for IPv6 while delegating a public prefix to your LAN.One box on the Internet can be secured, therefore all boxes on the Internet can be secured. I can't decide if this is a hasty generalization or a garden-variety non sequitur.Of course, you're invited to look for services on nexus.home.palmen-it.de (my desktop box). Spoiler: you won't find any, and that's not becausesockstat -l6n
would be empty on that box, it's because my firewall rejects any TCP/UDP connection attempt from the internet to any box in the LAN.
After 6 years ,anybody could be kind enough to commit the patch to the latest kernel ?⚙ D11137 PF: implement RFC 4787 REQ 1 and 3 (full cone NAT)
reviews.freebsd.org
IPv4 is still the most important.And with every year going by, the effort needed to do this makes less sense, as IPv4 finally is (albeit still quite slowly) dying.
How about pfSense guysBluntly, no.
Not without a much better documented use case for this patch, along with tests and some sort of indications that the author (or someone...) will maintain it. Right now it is abandoned, and doesn't even apply any more.
This patch makes fairly deep changes to the NAT code, changes which I currently do not understand and do not have the motivation or energy to study. If it gets committed and breaks something I'm going to be the one who has to fix it, so ... no, not unless someone can present a compelling case that this actually improves anything, that it is correct and that if there are issues they will work on them.
What about it?How about pfSense guys
Most private customers (mobile and landline) don't even get IPv4 any more. They often don't notice it in typical consumer usage scenarios because they get some tunneled IPv4 with provider-side NAT (CGNAT) instead.IPv4 is still the most important.