Source port translation only
Jason Hellenthal
jhellenthal at dataix.net
Tue Jun 19 11:25:05 UTC 2012
On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote:
> Hi,
>
> I want to do (stateful) source port translation (restriction actually)
> on my outgoing packets, but no source address translation. And I want to
> do it for IPv6.
>
> So if there is a TCP packet like this:
>
> SRC ADDR: 2001:db8::10
> DST ADDR: 2001:c0de:
> SRC PORT: 53523
> DST PORT: 80
>
> I want to translate it so that the source port falls into a specific
> port range, say [1024:2047]:
>
> SRC ADDR: 2001:db8::10
> DST ADDR: 2001:c0de:
> SRC PORT: 1500
> DST PORT: 80
>
> If the source port is already in the requested port range, no
> translation is needed (but the state has to be kept anyway).
>
> Is this possible to do with pf? If not, does anybody know for any other
> (simple) way to do it?
>
Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ?
- and -
Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ?
Don't have a clue why on earth you would want to do this though.
--
- (2^(N-1))
More information about the freebsd-pf
mailing list