Streaming with OpenBSD Firewall

Contributed by jose on 2003-09-15 from the dynamic-port-assignment dept.

knowfear writes: "I currently have an OpenBSD firewall+NAT machine on the border of my network. The only way I can receive streaming media is using slow HTTP/TCP. I've been looking for a better solution (socks, proxy, etc) but have not found anything useful. How can I setup my OpenBSD firewall to pass streaming media over UDP to NAT'd clients?"

Anyone with some PF skills want to suggest a recipe?

(Comments are closed)

Comments

By Chris Cappuccio () chris@nmedia.net on 2003-09-15 18:41 mailto:chris@nmedia.net

Well, most streaming protocols (rtsp, pnm, etc) work fine through NAT or stateful filtering. Some older versions of pnm (early realplayer, etc) do /not/, but I guess it depends really on what protocols you are talking about. What applications/protocols are breaking for you and how are you using PF? (NAT, filtering, and other relevant details, I can't believe people are posting stories like this without some basic information to help troubleshoot)
Comments
1. By knowfear () acordm@msoe.edu on 2003-09-15 23:00 mailto:acordm@msoe.edu
  
  It's my understanding that ports would have to be opened for the udp data to go through, because the port is requested in a packet (like ftp) and the server responds by sending a udp packet to that port, which the client had never sent a packet out from yet...
  
  so, no state is open yet for udp, and the server starts sending udp messages which the firewall stops.
  
  Understand better?
By Will () on 2003-09-15 18:45

I found that I had to open a two specific ports on the firewall. Then do a port redirect to your own PC on the usual 7070-7071. For other PC's on the network, you will need to assign different port numbers.

I did that on my previous OpenBSD firewall, and also on my current non-OpenBSD firewall. ( A cheap adaptec firewall in a box.)

When watching the BBC news on Real player the picture is MUCH better and smoother.

The drawback is that you need to open a pair of ports for each PC that wants to view UDP streams, and each IP used needs to have a couple of ports assigned to it.

A bit of a kludge but it worked for me.

Will
Comments
1. By knowfear () acordm@msoe.edu on 2003-09-16 08:39 mailto:acordm@msoe.edu
  
  I was thinking about doing this (mapping UDP ports to internal machines) although in my opinion it seems to defeat the purpose of the firewall in a way!
By Joe Klein () klein@joe.com on 2003-09-15 20:25 http://www.joe.com

I view streaming media of varying types through NAT/FW OpenBSD setup. Some protocols out there don't work well through NAT/FW, and if that's the case tough luck.

Other than that, add "keep state" to your UDP traffic and you should be in Media Player and Quicktime heaven. Don't know about Real because those guys suck:

1. they try and take over your computer
2. they port scan your computer all the time!
By Z-Blocker () on 2003-09-15 21:13

Hi,

Well I never saw this problem before.
I think you should give some more info about this.
Do you want to stream yourself or just receive streams?
In both situations it was succesful on my site.

Z
By knowfear () acordm@msoe.edu on 2003-09-16 08:47 mailto:acordm@msoe.edu

just a little more detail:

When I am streaming video/audio over the internet it is usually not very smooth. There are breaks/stops in the feed. I believe the breaks are due to the extra overhead associated with TCP. Streaming media was meant for quick UDP traffic, however streaming protocols are NOT firewall friendly. They are designed similar to FTP where there is an initial port connected on, then the client requests data be sent onto another port (in this case, the UDP feed, in FTP the data feed). As you are aware, simply using stating for FTP does not allow you to do active ftp because of this case. The same happens with these streaming media programs, simply using state on UDP does not allow them to work as they should.

Will suggested one solution I have read about, which is mapping incoming UDP ports to a specific machine, then setting up those machines to request their specific ports. Besides being a pain to setup/maintain, this kind of defeats some of the purpose of the firewall (IMO). I am looking for a cleaner/safer way to do this.

Any help/resources would be appreciated!
Comments
1. By Oliver Neubauer () on 2003-09-16 11:12
  
  I've found myself preaching the virtues of authpf a few times this week....
  
  If you want to do things the way you describe in your last paragraph then authpf is a very handy way of dynamically changing firewall rules in a fairly secure way, and only when you need them.
  
  Hope this helps
  o
  Comments
  1. By knowfear () acordm@msoe.edu on 2003-09-16 11:45 mailto:acordm@msoe.edu
    
    How would you see authpf helping? Particular uses would have to log into the firewall and then the UDP ports will automatically be opened to a computer, then when they log out they are closed?
    
    Comments
    
    By Oliver Neubauer () on 2003-09-17 17:10
    
    Precisely. It's not as elegant as a streaming proxy, but it would allow you to set up open ports and forward rules when needed, and tear them down when not. This also allows multiple computers to set up and tear down redirects based on their IP.
    
    Like I said, it's not pretty, but it's better that static rules that leave the ports open all the time and always redirecting to a single IP.
    
    You mentioned looking into proxies....does dante not do what you want? (I honestly don't know, having never looked into it)
2. By F�bio Oliv� Leite () foleite@yahoo.com.br on 2003-09-16 12:20 mailto:foleite@yahoo.com.br
  
  > They are designed similar to FTP where there is an initial port connected on, then the client requests data be sent onto another port (in this case, the UDP feed, in FTP the data feed).
  
  This is precisely why there is ftp-proxy(8). Perhaps someone should quit whining and start coding a streaming-proxy(8)?
  
  Application-layer weirdness has no place inside the kernel. ;-)
  Comments
  1. By Bart Schipper () obsd@smartbart.com on 2003-09-17 05:05 mailto:obsd@smartbart.com
    
    For a streaming-proxy you may want to take a look at Apple's open source Darwin Streaming Server: http://developer.apple.com/darwin/projects/streaming/
    It contains a proyx server as well and should build on FreeBSD, Linux, Windows, Mac OS X and Solaris. A port should not be that difficult.
    Good luck!
  2. By Michael van der Westhuizen () on 2003-09-17 05:52
    
    > Application-layer weirdness has no place inside the kernel. ;-)
    
    Agreed.
By Olivier () om_deadlydotorg-039b@olden.ch on 2003-09-19 06:59 mailto:om_deadlydotorg-039b@olden.ch

I had some success with Dante, a SOCKS proxy server. Works fine with Quicktime and I suspect, any other SOCKS-aware software... ie, not RealPlayer 8 nor most (all?) of the M$ stuff.
sockd isn't trivial to configure though, the doc is worth a look.

For RealPrayer, I used the same workaround as Will suggested (ie forward 2+ UDP ports). Cumbersome but it does the job.
(and I confirm, streaming over UDP works muuuch better than anything relying on TCP)

I ran into some problems using both mechanisms simultaneously when the SOCKS server managed to claim and assign the ports I was statically forwarding. YMMV...

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (12)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]