Subject: Re: IPNAT
To: Carlos Castro <castor@vivirasturias.com>
From: None <cube@cubidou.net>
List: netbsd-users
Date: 07/05/2004 12:08:22
On Mon, Jul 05, 2004 at 11:51:57AM +0200, Carlos Castro wrote:
> hello to all:
> 
> I have a doubt, I am setup firewall with NetBSD 1.6.2.
> This machine has running NAT.
> In all the documentation that I have seen he appears this
> 
> map fxp0 xxxxxxxx/xx - > zzzzzzzzzz/xx portmap tcp/udp 10000:60000 (this
> changes)
> 
> My question is Because there is to assign high ports tcp/udp when running
> nat?

After some time spent thinking about your question, I'm reasonably
confident that you're asking why NAT somehow requires the use of a high
range of TCP and UDP parts.

If that's not you're asking, please be more specific.

The range you're seeing is the one used by IP Filter to remap connections
so they appear from the gateway running IP Filter.  Those ports are used
as source ports for the translated connections and need to be somewhat
anonymous, about as much as the actual source port (from the raw packet).

Also, the range needs to be large enough to hold all translated
connections.  Here, 50000 available ports is more than reasonable.

Using lower ports would only bring confusion:  that's not what OS usually
do anyway.

Quentin Garnier.