Source port translation only
Jason Hellenthal
jhellenthal at dataix.net
Tue Jun 19 11:26:34 UTC 2012
On Tue, Jun 19, 2012 at 07:24:59AM -0400, Jason Hellenthal wrote:
>
>
> On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote:
> > Hi,
> >
> > I want to do (stateful) source port translation (restriction actually)
> > on my outgoing packets, but no source address translation. And I want to
> > do it for IPv6.
> >
> > So if there is a TCP packet like this:
> >
> > SRC ADDR: 2001:db8::10
> > DST ADDR: 2001:c0de:
> > SRC PORT: 53523
> > DST PORT: 80
> >
> > I want to translate it so that the source port falls into a specific
> > port range, say [1024:2047]:
> >
> > SRC ADDR: 2001:db8::10
> > DST ADDR: 2001:c0de:
> > SRC PORT: 1500
> > DST PORT: 80
> >
> > If the source port is already in the requested port range, no
> > translation is needed (but the state has to be kept anyway).
> >
> > Is this possible to do with pf? If not, does anybody know for any other
> > (simple) way to do it?
> >
>
> Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ?
>
> - and -
>
> Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ?
>
>
> Don't have a clue why on earth you would want to do this though.
>
Should have added that ... no matter how you do this you are going to be
increasing your chances of port collision or exhaustion.
--
- (2^(N-1))
More information about the freebsd-pf
mailing list