[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf filter rulesets
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf filter rulesets
- From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
- Date: Mon, 26 May 2003 09:21:02 +0200
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
On Mon, May 26, 2003 at 02:55:59AM -0400, Jolan Luff wrote:
> On Sun, May 25, 2003 at 11:44:45PM -0700, Mike Ayers wrote:
> > First question: Does NAT translation preserve port number unless
> > that port is not available on the external interface? The NAT rules,
> > unless I am misreading, are incapable of specifying source ports. In some
> > cases, such as Microsoft VPN, it is necessary to ensure that the source
> > port number remains unchanged, (meaning only one such connection per NAT
> > network).
> I'm guessing this is what you want, from pf.conf(5):
> # NAT PROXYING
> # map outgoing packets' source port to an assigned proxy port instead of
> # an arbitrary port
> # in this case, proxy outgoing isakmp with port 500 on the gateway
> nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \
> port 500
no, that will change the source port.
With nat rules, the static-port option prevents pf(4) from modify-
ing the source port on tcp and udp packets.
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.