Subject: what is the NAT ports range for mapping one network?
To: None <firstname.lastname@example.org>
From: Igor Sobrado <email@example.com>
Date: 10/04/2005 12:33:51
This is a general question about NAT that I believe does not fit on
more specific NetBSD mailing lists.
Briefly: what is the ports range we must use for mapping one network
to an address using NAT?
From examples in /usr/share/examples/ipf it seems that we should
not care about the ports range used. Most examples use ranges
10000:20000, 10000:40000, or 40000:60000. But I believe it is
Ports can be classified as either well-known ports (in the range
from 0 up to 1023), registered ports (in the range from 1024 to
49151) and private ports, also known as dynamic ports, in the
range from 49152 up to 65535.
Well, I guess that using either well-known or registered ports
is dangerous (what if we start a service with a registered port
allocated and NAT is currently using that port? Ok, I agree
that a NAT router will probably not run one of these applications
but it is better not using a registered port at all, though.
Should we use rules as
map fxp0 192.168.2.0/24 -> 10.0.0.5/32 portmap tcp/udp 49152:65535
What about ports being used by other applications in the range assigned
in the mapping rule? (a real risk if private ports are being used!)
Will ipf/PF manage these events and try another port in the range?
Have a nice day!