From owner-freebsd-pf@FreeBSD.ORG Tue Jun 19 11:26:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ECA421065672 for ; Tue, 19 Jun 2012 11:26:33 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 93F598FC18 for ; Tue, 19 Jun 2012 11:26:33 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5219322ggn.13 for ; Tue, 19 Jun 2012 04:26:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=kNrcyPXB6qkowZQ55Z5S8QjHwPnBPzriVr0exzPBP7I=; b=QaflcUbDdRI+H3FG5M7Z0fZ/lPuJNqUwaAo0Qt2NoYeQ1xLbOff4llC0BTUBQvVCyE KfDWG24J1aJytf0zCxI9b0/KBw7SK2su2gaRW0V204uUCOG81Nma4zIsW6cfmCFNNSgQ gB4tgKIVLynRZERUr4ux9u+cGPAbAN+4f83jM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=kNrcyPXB6qkowZQ55Z5S8QjHwPnBPzriVr0exzPBP7I=; b=a0rCP86Njb2F+RZQuAjVapxJrdD5VY0OrQKy8UMaKfpsKtvUX4GNUi/MRI+nMrSj1c Ok4DYF0KgO6/e3QRr8EfgciA/bdbQKrd73B7OppO/v9GymNd/VR3Fugpu3VC7d6fjPlE oYQ5O4UioPgp8TyJFO0sh9ggqie3gkbY6+OS62DnoHmFaJCXXPCGh9YFJgWERum2Tr5K HFzZLwzlgde4eMOwOVMxABeQXEPkMK+B6vt3MrPnWPouIO3BrsgZ7UoDm2nY6YsprsiF JGqC0LKkBqUXaf/9VvODrgLisLiR9+xkCK61F1rUjLyTxHBgH8EtOWi4krpfkaCE0sYf zTNg== Received: by 10.42.38.83 with SMTP id b19mr7281804ice.10.1340105192922; Tue, 19 Jun 2012 04:26:32 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id ut5sm20928378igc.13.2012.06.19.04.26.30 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Jun 2012 04:26:30 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5JBQSAT007313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Jun 2012 07:26:28 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5JBQSAL007312; Tue, 19 Jun 2012 07:26:28 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Tue, 19 Jun 2012 07:26:28 -0400 From: Jason Hellenthal To: Nejc =?utf-8?B?xaBrb2Jlcm5l?= Message-ID: <20120619112628.GB96895@DataIX.net> References: <4FE0142A.80003@skoberne.net> <20120619112459.GA96895@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20120619112459.GA96895@DataIX.net> X-Gm-Message-State: ALoCoQmunR8ncxL/0MnzqghlzHDlfOQtUJ/iz/0EZIfX3W1oqPESHSyy7+CCpG84nOjYbZOYvRv8 Cc: freebsd-pf@freebsd.org Subject: Re: Source port translation only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 11:26:34 -0000 On Tue, Jun 19, 2012 at 07:24:59AM -0400, Jason Hellenthal wrote: > > > On Tue, Jun 19, 2012 at 07:54:50AM +0200, Nejc Škoberne wrote: > > Hi, > > > > I want to do (stateful) source port translation (restriction actually) > > on my outgoing packets, but no source address translation. And I want to > > do it for IPv6. > > > > So if there is a TCP packet like this: > > > > SRC ADDR: 2001:db8::10 > > DST ADDR: 2001:c0de: > > SRC PORT: 53523 > > DST PORT: 80 > > > > I want to translate it so that the source port falls into a specific > > port range, say [1024:2047]: > > > > SRC ADDR: 2001:db8::10 > > DST ADDR: 2001:c0de: > > SRC PORT: 1500 > > DST PORT: 80 > > > > If the source port is already in the requested port range, no > > translation is needed (but the state has to be kept anyway). > > > > Is this possible to do with pf? If not, does anybody know for any other > > (simple) way to do it? > > > > Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? > > - and - > > Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? > > > Don't have a clue why on earth you would want to do this though. > Should have added that ... no matter how you do this you are going to be increasing your chances of port collision or exhaustion. -- - (2^(N-1))