random nat source ports not always random

Jeremy C. Reed reed at reedmedia.net
Thu Jun 12 21:54:28 UTC 2008

I have

nat on iwi0 from port 2222 to any port 3333 -> \ 
port 5000:55000 random

1) I noticed by using a port 5000:55000 range that my random numbers were in 
a larger pool. I don't know if that is true or not but it appeared that 
way from a few tests (and not looking at source). Do you know what the 
default port range is for "random"?

2) Also I did this without "random" and it appeared to be random at first, 
but then started using same port numbers. I then added "random". From 
looking at PF FAQ, it seems to say it "might be ... replaced with randomly 
chosen, unused port", but man page doesn't. Do you know if it defaults to 

3) When using "random", it is mostly random, but when I do multiple 
requests to same destination (within a short period of time), it uses the 
same new source port. I can easily repeat this and see this with both 
tcpdump and pfctl -s state which shows MULTIPLE:MULTIPLE (instead of 

I am trying to find a setting that will disable that, so it will use a new 
random port each time.

It is acting like "sticky-address" option is used. pfctl -s timeouts shows 
that src.track is 0s (default).

Any suggestions on ignoring that state so each connection with identical 
original source/destination IP/port will be randomized?

(By the way, this is not on FreeBSD. But I think this list should be a 
good help anyways. I am using PF 3.7 on NetBSD.)


More information about the freebsd-pf mailing list