From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:25:05 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E7951065673 for ; Tue, 19 Jun 2012 11:25:05 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id E25FA8FC0C for ; Tue, 19 Jun 2012 11:25:04 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5218138ggn.13 for ; Tue, 19 Jun 2012 04:25:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=rNxtuqE1e+QVr11/yt+47N7VoIYUcoIlrbzs+tLfSv0=; b=TLbleCoYgemYP3F0g0d7VKSioru/iMaR4QmxMN6JwUdsaN72p1/euHsMN2XQVnbl0R mAuKuSM7Dlgj78+z/sNZoB1QRUk5zKwb3fz5HXpOmtrWSM9gz+QNlsx0Deqt6neYlQZc uFKqCdOBknj+b7JT7GysnMK4Zrnu5pyFtNImw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=rNxtuqE1e+QVr11/yt+47N7VoIYUcoIlrbzs+tLfSv0=; b=NeTw2sHRb11y4y0ay2bJpg4txA3IyRIwbKUSoLilCb2/GBDbHVRBea0mZTM4ctJUce XSsFrlQ5fHaKgQZayaj6deqJCuzSZi3yFUZP60iRN2cpcGA9VLY0leBbT9unpObcpKgu oW9YOWixK+YwLGAJVtOwjTfMEx8FbrlUls2NTwSWvIgtlG+DTdqlUOSoyxeVkfzL1EvG YidsHPYXPb3hiLteGpcba7cqnoQFezaFLkh8Wi6l80JHukHmCE5hSDdMoJNmTaW8CYUZ K7zAHZkAgUQzOJMzEn1y6b1B9V0WmcdCe9b2TcZYgLXs669tDoHxGysTQGnRj23bGsO9 YrUQ== Received: by 10.50.100.169 with SMTP id ez9mr689148igb.44.1340105103948; Tue, 19 Jun 2012 04:25:03 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id iw6sm11746503igc.15.2012.06.19.04.25.02 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Jun 2012 04:25:03 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5JBP0Pt004560 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Jun 2012 07:25:00 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5JBOxS5004553; Tue, 19 Jun 2012 07:24:59 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Tue, 19 Jun 2012 07:24:59 -0400 From: Jason Hellenthal To: Nejc =?utf-8?B?xaBrb2Jlcm5l?= Message-ID: <20120619112459.GA96895@DataIX.net> References: <4FE0142A.80003@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4FE0142A.80003@skoberne.net> X-Gm-Message-State: ALoCoQl3yCat7MZHTQDcWSytK4i0PSq4rqt2bdGVyrUNCxaad8axdxQYs/vG3fvgxhuGvcsvzxEr Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 11:25:05 -0000 On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote: > Hi, > > I want to do (stateful) source port translation (restriction actually) > on my outgoing packets, but no source address translation. And I want to > do it for IPv6. > > So if there is a TCP packet like this: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 53523 > DST PORT: 80 > > I want to translate it so that the source port falls into a specific > port range, say [1024:2047]: > > SRC ADDR: 2001:db8::10 > DST ADDR: 2001:c0de: > SRC PORT: 1500 > DST PORT: 80 > > If the source port is already in the requested port range, no > translation is needed (but the state has to be kept anyway). > > Is this possible to do with pf? If not, does anybody know for any other > (simple) way to do it? > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? - and - Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? Don't have a clue why on earth you would want to do this though. -- - (2^(N-1))