Subject: Re: what is the NAT ports range for mapping one network?
To: None <netbsd-users@netbsd.org>
From: Martijn van Buul <pino@dohd.org>
List: netbsd-users
Date: 10/04/2005 13:47:46
It occurred to me that Igor Sobrado wrote in gmane.os.netbsd.general:

> Ports can be classified as either well-known ports (in the range
> from 0 up to 1023), registered ports (in the range from 1024 to
> 49151) and private ports, also known as dynamic ports, in the
> range from 49152 up to 65535.
>
> Well, I guess that using either well-known or registered ports
> is dangerous

No, it's not. It might not be a very bright thing to do, and there 
might be issues with it, but it's not *dangerous* in the context of "it will
generate a security risk". It might cause other problems, though.

> (what if we start a service with a registered port allocated and NAT is
> currently using that port?

Then you made a bad setup. Nothing can prevent against that. There is *NO*
port range which is guaranteed to be free, for the sole reason that any mortal
user can claim a port > 1024. If you setup a NAT, and assign a certain
port range to NAT, then you should consider these ports as occupied. If that
conflicts with what you want, then there's only one solution: Either NAT
or the desired application has to move. It's the same thing with two processes
wanting to listen on the same port. It's a flaw in the setup, not a flaw
in the system.

> Ok, I agree that a NAT router will probably not run one of these applications
> but it is better not using a registered port at all, though.

Using something below < 1024 is probably not a good idea, indeed. However,
there "registered" range is another matter. There are huge holes in the
IANA assignments (especially above >10.000), there's hardly any reason
not to use them, as long as they don't generate a local conflict.

> Should we use rules as
>
>   map fxp0 192.168.2.0/24 -> 10.0.0.5/32 portmap tcp/udp 49152:65535
>
> instead?

No, because then you have mapped the entire dynamic portrange for NAT, which
means that the NAT-box itself could run out of dynamic ports, which is a 
Really Bad Thing.

> What about ports being used by other applications in the range assigned
> in the mapping rule?  (a real risk if private ports are being used!)

By "private" I assume you mean "<1024" ? This is a bad idea for multiple
reasons. For one thing, there are several servers which will check this, and
deny connections with an originating port < 1024. If you make such a mapping,
then don't blame anyone else.

> Will ipf/PF manage these events and try another port in the range?

Again, don't expect ipf/PF to cover up for a bad setup you're making.

-- 
    Martijn van Buul - pino@dohd.org - http://www.stack.nl/~martijnb/
	 Geek code: G--  - Visit OuterSpace: mud.stack.nl 3333
 The most exciting phrase to hear in science, the one that heralds new
discoveries, is not 'Eureka!' (I found it!) but 'That's funny ...' Isaac Asimov