[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: outbound addresses and PF



Are you really sure about this?
Taken from: <http://www.ncftpd.com/ncftpd/doc/misc/ephemeral_ports.html>

"OpenBSD uses the sysctl command to tune kernel parameters.  The
ephemeral ports on OpenBSD are actually two separate ranges, the regular
range, and the alternate "high" range.  Below is an example showing how
to use sysctl to view the current configuration of these two ranges:
# sysctl net.inet.ip.portfirst net.inet.ip.portlast \
    net.inet.ip.porthifirst  net.inet.ip.porthilast 
net.inet.ip.portfirst = 1024
net.inet.ip.portlast = 49151
net.inet.ip.porthifirst = 49152
net.inet.ip.porthilast = 65535
[snip]
Note that NcFTPd uses the alternate range, whose default values are
acceptable.  Therefore, no tuning is necessary unless you want to change
the behavior of other programs which may not explicitly attempt to use
the alternate range like NcFTPd does."

Even if even if PF used the ephemeral port range, the question would be,
does this screw outbound connections sourced on the firewall?
(e.g. ftp-proxy connections????)

To clarify, if ftp-proxy used tcp/65000 to talk to ftp.openbsd.org,
and then PF a PF rule like:
  nat on $EXTIF from 10.0.0.0/8 to any -> ($EXTIF)
decided to use the same source port of 65000, how can PF correctly
demangle the replies from ftp.openbsd.org ?

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 


-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Michael Hilscher
Sent: Saturday, December 14, 2002 6:13 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: outbound addresses and PF


On Sat, Dec 14, 2002 at 03:05:47PM -0000, Dom De Vitto wrote:
> Does anyone know how many ports are used, and in what range for PF 
> nat?
The Highportrange for tcp and udp starts at Portnumber 1024 and ends at
Portnumber 65535. 

greetinXs,
Michael Hilscher

-- 
Would Mozart have been more productive if he had scribes to help him, a
secretary and a CEO to lead his way? -- Linus Torvalds



Visit your host, monkey.org