Copy/paste firewall NAT issue

[Doug Dimick]

My configuration is a master on the LAN segment of a pfSense firewall, and one slave on a DMZ interface. Anything from LAN to DMZ is permitted, but DMZ has restricted access to LAN.

I'm using NAT to port forward TCP/UDP 31234, and everything behaves as expected _except_ copying from the slave and pasting to the master. Looking at a Wireshark packet capture, it seems like the slave might be initiating a TCP connection to the master on a randomized port number for the paste, which the firewall is dropping, as it's supposed to do. Copying from master to slave works fine, which I would expect since the firewall is configured to forward all traffic from the LAN interface.

Placing the master and slave on the same network segment resolves the issue, but is not an ideal solution for my usage.

Do I understand the problem correctly? Is there anything I can do to resolve?

[Shane]

Hi Doug,

It sounds like you'll need to amend your F/W rules. Clipboard data is sent over TCP. A connection is established from the computer doing the paste to the computer that holds the clipboard data. In the scenario described, the client computer establishing a TCP connection is allocated a random port number and connects to the TCP port 31234 on the target computer. 

Regs,

Shane.

[Doug Dimick]

Thanks for the reply, Shane. I have a rule permitting both TCP and UDP for destination port 31234 already. Would a copy of the packet capture help in any way? I can easily reproduce the issue.

[Shane]

Hi Doug,

You'll need to have your rules setup both ways (so that either master or slave can connect to 31234 on the other using TCP and UDP).

Regs,

Shane.