Hi Dan
Your note pointed me in the right direction. I don't have the issue on a
pfsense either. And of course it has nothing to do with the protocol,
otherwise DNS wouldn't work either. This seems to be a problem with this
specific site.
Thanks!
On Thursday, June 21, 2018 at 6:14:48 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Jun 21, 2018 at 10:37 AM, >
> wrote:
> > Hi all
> >
> > I'm trying to connect several ossec agents to an ossec server over the
> > internet and without vpn tunnels. This means, IPs get transformed
> because of
> > NAT. This is not a problem for agent-to-server communication, since I
> can
> > register each agent with source ip "any" and all packets go to the same
> > server. However, it seems that the server tries to respond to some of
> the
> > udp packets.
> >
> > Here an example on what I see with tcpdump on the firewall at the ossec
> > server site:
> >
> > 15:54:57.839960 IP [PUBLIC-IP-CLIENT-SITE].50497 >
> > [PUBLIC-IP-SERVER-SITE].1514: UDP, length 158
> > 15:54:57.841374 IP [PUBLIC-IP-SERVER-SITE].1514 >
> > [PUBLIC-IP-CLIENT-SITE].50497: UDP, length 73
> >
> > And that of course doesn't work since the firewall on the client side
> has no
> > existing sessions (since protocol is UDP) and even if I allow all
> traffic
> > from ossec server to any client, the firewall wouldn't know how to
> translate
> > the public IP back to the private since there is no corresponding
> session.
> > The obvious solution would be to use TCP but as I read in this mailing
> list,
> > you cannot use TCP for agent-to-server communication. Another solution
> would
> > be VPN, since I could work without NAT then. But for me this is not a
> > solution, since some clients are labtops and change their locations and
> I
> > also don't want to install a vpn client on labtops since I have to keep
> a
> > very small footprint on the clients.
> >
> > I don't think this is a very special setup and I hope somebody has found
> a
> > solution to this?
> >
>
> That's very strange, my firewall (OpenBSD's pf) is able to keep state
> on UDP "sessions."
> I don't know the details of how it does so though.
> The Virgil security folks are adding some support for a new
> communication method that should help, but this doesn't do much for
> you now.
>
> > Thanks in advance!
> >
> > Andreas
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.