UDP server on multihomed host; client behind packet filter

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

First off, I'd like to apologize if this has been covered before.
(I haven't found anything in the Google Groups archive or the list
archive at marc.theaimsgroup.com. A quick run through the sources
didn't reveal anything, either.)

I was wondering how y'all handle UDP servers bound to INADDR_ANY
on hosts multihomed to the same network. It's completely conceivable
for reply datagrams to be sent from an address/port not matching
the client's original destination, thus failing tests in that NAT
and/or state code.

Assume the following:
I don't control the servers and can't force them to use a socket
on each address. (I wouldn't want to waste sockets like that,
either.) The client program doesn't care about the reply's source
address and port.

Knowing the service port ahead of time, I could hack IPF, adding a
"wild" flag, and write a rule specific to this port that'd cause the
state and NAT code to make use of wildcard flags. Thoughts?

e.g.,
pass out quick on xl0 proto udp from any to \
192.168.0.16/28 port =3D 1723 keep state keep frags wild_daddr
=20
I don't want to go so far as permitting all traffic from the
server subnet + port to all of my clients.

Is there an elegant and seemingly obvious solution that I'm
(prone to) overlooking?

As always, any information is appreciated.

--=20
ryan beasley <ryanb@goddamnbastard.org>
GPG ID: 0x16EFBD48

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/DLzUskfdOxbvvUgRAkZVAJ4gy+FBy9gamjmH9ScaiBTDDkRV+A CgmMEY
jKYeamqn3fsHKYmJeH0m/fc=
=ex8M
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--