Connection Tracking
Stateful firewalls maintain a connection tracking table, which is dynamically built based on actual traffic passing through the firewall.
In a connection tracking table a typical entry might consist of UDP traffic from a device with a source IP and port number, which is converted by NAT, and then connected to the public IP of a firewall on that destination port:
Protocol | Source → Router → Destination |
---|---|
UDP | 192.168.1.10:20000 → 203.0.113.10:20000 → 198.51.100.20:2000 |
If you have a call coming in from the other endpoint, then you would see the same entry in reverse in the connection tracking table:
Protocol | Source → Router → Destination |
---|---|
UDP | 198.51.100.20:20000 → 203.0.113.10:20000 → 192.168.1.10:20000 |
Typically, an encoder would start an SRT session in Caller mode, with a decoder in Listener mode waiting for control packets. In Rendezvous, both are sending control packets to initiate the connection. The outgoing packets create an entry in the table. When the incoming packets arrive, they create a complementary entry. This tricks the firewall into thinking that the inbound packets are the responses to the outbound ones, and so it permits the packets to pass through for the duration of the streaming session.
Rendezvous mode allows the source and destination devices to “punch out” holes from the inside of their respective firewalls. The only conditions are that both devices must be in Rendezvous mode, both must be using the same port number, and there must be an outbound entry set up on each firewall so that the source port number is preserved (i.e. so that there is no need to create input entry rules).