Downside of Static Port for All Traffic from One Device?
-
One of my wife's games was giving her "Strict NAT" warnings and refusing to run. To get it working, I had to add an outbound NAT firewall rule making all traffic from her machine static. I used the following somewhat vague article as the basis:
https://doc.pfsense.org/index.php/Static_Port
That article says to specify the particular ports that need to be open, but that doesn't work. My guess is the Ubisoft/Uplay/Uno people have listed incorrect port information here:
https://support.ubi.com/en-US/Faqs/000025273/Connectivity-Issues-PC-UNO
So, until I can figure out which ports the game actually needs to be statically mapped, what's the downside of making all traffic from her computer static? Is it just a slight hit to security?
By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.
-
not really a hit to security. But can cause a problem with actual nat.. You have multiple devices behind your NAPT (network address port translation) What if some other device was natted to use port X on source port to your internet connection. And then now your device you want to use as static is using the same port. There is no way for pfsense to then make that a static port.
There is no possible way for pfsense to reserve ALL the ports for use only by your specific device. So while there is really not security issues with what your doing. It is a borked config when you have more than 1 device behind a napt. Sooner or later you going to run into a conflict that prevents a connection. When multiple devices try and use the same port since you have locked your one device into using static. The more devices you have behind your napt the more likely you are to run into the conflict.
-
Ouch (and thanks). I've written Ubisoft to see if they'll provide a correct list of ports the game needs. Hopefully, they'll answer.