[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf filter rulesets

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pf filter rulesets
From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
Date: Mon, 26 May 2003 09:21:02 +0200
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

On Mon, May 26, 2003 at 02:55:59AM -0400, Jolan Luff wrote:
> On Sun, May 25, 2003 at 11:44:45PM -0700, Mike Ayers wrote:
> > 	First question:  Does NAT translation preserve port number unless 
> > 	that port is not available on the external interface?  The NAT rules, 
> > unless I am misreading, are incapable of specifying source ports.  In some 
> > cases, such as Microsoft VPN, it is necessary to ensure that the source 
> > port number remains unchanged, (meaning only one such connection per NAT 
> > network).
> 
> I'm guessing this is what you want, from pf.conf(5):
> 
> # NAT PROXYING
> # map outgoing packets' source port to an assigned proxy port instead of
> # an arbitrary port
> # in this case, proxy outgoing isakmp with port 500 on the gateway
> nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \
>         port 500

no, that will change the source port.
see static-port:

     static-port
           With nat rules, the static-port option prevents pf(4) from modify-
           ing the source port on tcp and udp packets.


-- 
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Follow-Ups:
- Re: pf filter rulesets
  - From: Jolan Luff
- Re: pf filter rulesets
  - From: Mike Ayers

Prev by Date: Re: Problems with XFree86
Next by Date: Re: pf filter rulesets
Previous by thread: Re: pf filter rulesets
Next by thread: Re: pf filter rulesets
Index(es):
- Date
- Thread

Visit your host, monkey.org