Subject: what is the NAT ports range for mapping one network?
To: None <>
From: Igor Sobrado <>
List: netbsd-users
Date: 10/04/2005 12:33:51

This is a general question about NAT that I believe does not fit on
more specific NetBSD mailing lists.

Briefly: what is the ports range we must use for mapping one network
to an address using NAT?

From examples in /usr/share/examples/ipf it seems that we should
not care about the ports range used.  Most examples use ranges
10000:20000, 10000:40000, or 40000:60000.  But I believe it is
not true.

Ports can be classified as either well-known ports (in the range
from 0 up to 1023), registered ports (in the range from 1024 to
49151) and private ports, also known as dynamic ports, in the
range from 49152 up to 65535.

Well, I guess that using either well-known or registered ports
is dangerous (what if we start a service with a registered port
allocated and NAT is currently using that port?  Ok, I agree
that a NAT router will probably not run one of these applications
but it is better not using a registered port at all, though.

Should we use rules as

  map fxp0 -> portmap tcp/udp 49152:65535


What about ports being used by other applications in the range assigned
in the mapping rule?  (a real risk if private ports are being used!)
Will ipf/PF manage these events and try another port in the range?

Have a nice day!