iChat video chat behind PF/NAT
Mon, 02/23/2009 - 21:12 — Tuba
I recently had the opportunity to fiddle a bit with getting iChat video chat to work properly with PF and NAT. As we all know, NAT is evil - getting ugly protocols past it no less so.
First step in finding out exactly what went wrong was doing a bit of tcpdump on the internal firewall interface while trying to connect to a video chat session:
1235401525.872542 192.168.142.30.16402 > snatmap.mac.com.5678: udp 16 1235401526.060152 snatmap.mac.com.5678 > 192.168.142.30.16402: udp 16So far so good, the connection to the SNATMAP service at Apple worked nicely. After that, it all went horribly wrong. A bit of poking around with tcpdump on the external and internal interface at the same time told me why - source port numbers on outgoing UDP packets changed during the NATting. The solution is as simple as the underlying problem isn't: Add "static-port" to the end of the NAT line in /etc/pf.conf.
