Date: Tue, 19 Jun 2012 07:24:59 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Nejc =?utf-8?B?xaBrb2Jlcm5l?= <nejc@skoberne.net> Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only Message-ID: <20120619112459.GA96895@DataIX.net> In-Reply-To: <4FE0142A.80003@skoberne.net> References: <4FE0142A.80003@skoberne.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote: > Hi, > > I want to do (stateful) source port translation (restriction actually) > on my outgoing packets, but no source address translation. And I want to > do it for IPv6. > > So if there is a TCP packet like this: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 53523 > DST PORT: 80 > > I want to translate it so that the source port falls into a specific > port range, say [1024:2047]: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 1500 > DST PORT: 80 > > If the source port is already in the requested port range, no > translation is needed (but the state has to be kept anyway). > > Is this possible to do with pf? If not, does anybody know for any other > (simple) way to do it? > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? - and - Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? Don't have a clue why on earth you would want to do this though. -- - (2^(N-1))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120619112459.GA96895>