On Sat, Apr 8, 2017 at 4:39 AM, Marina Ala <[email protected]> wrote: > I heard that OpenBSD's pf can prevent Hole punching: > Is it true? I just cannot google on it, but if someone would answer this > thread then the world can google for it from that point :D
PF doesn't prevent hole punching by itself, but depending on how you have it configured, it can make hole punching difficult or impossible. Of course a ruleset that blocks everything (e.g. "block all quick") will block everything, including hole punching requests. This can be useful if you want to allow Internet access for a specific machine, but block Internet access for all other machines. But if you allow your users to make direct outbound connections (e.g. for web browsing or playing online games) then users in your network can use those outbound connections to initiate hole punching (outbound) and there's not much you can do to stop it without resorting to IP address filtering. If you are trying to block inbound hole punching (or peer-to-peer hole punching) PF naturally makes this hard due to port randomization (the external party cannot reliably predict which port on your side they should try to connect to). If you want to allow peer-to-peer hole punching you can make it easier by using the static-port option described in the pf.conf(5) man page but this can cause problems if you have multiple internal hosts all trying to send from the same port numbers. Despite PF making hole punching harder, if the other side makes things sufficiently easier (no NAT, or no address-specific port mapping) then peer-to-peer hole punching might succeed anyway. If you are trying to block your users from running applications that use hole punching, you may not be able to do it unless you block everything. Blocking all direct user traffic and having them use a web proxy would help, but still wouldn't block applications that can masquerade as a web server. -ken
