Subject: Re: what is the NAT ports range for mapping one network?
To: None <email@example.com>
From: Martijn van Buul <firstname.lastname@example.org>
Date: 10/04/2005 13:47:46
It occurred to me that Igor Sobrado wrote in gmane.os.netbsd.general:
> Ports can be classified as either well-known ports (in the range
> from 0 up to 1023), registered ports (in the range from 1024 to
> 49151) and private ports, also known as dynamic ports, in the
> range from 49152 up to 65535.
> Well, I guess that using either well-known or registered ports
> is dangerous
No, it's not. It might not be a very bright thing to do, and there
might be issues with it, but it's not *dangerous* in the context of "it will
generate a security risk". It might cause other problems, though.
> (what if we start a service with a registered port allocated and NAT is
> currently using that port?
Then you made a bad setup. Nothing can prevent against that. There is *NO*
port range which is guaranteed to be free, for the sole reason that any mortal
user can claim a port > 1024. If you setup a NAT, and assign a certain
port range to NAT, then you should consider these ports as occupied. If that
conflicts with what you want, then there's only one solution: Either NAT
or the desired application has to move. It's the same thing with two processes
wanting to listen on the same port. It's a flaw in the setup, not a flaw
in the system.
> Ok, I agree that a NAT router will probably not run one of these applications
> but it is better not using a registered port at all, though.
Using something below < 1024 is probably not a good idea, indeed. However,
there "registered" range is another matter. There are huge holes in the
IANA assignments (especially above >10.000), there's hardly any reason
not to use them, as long as they don't generate a local conflict.
> Should we use rules as
> map fxp0 192.168.2.0/24 -> 10.0.0.5/32 portmap tcp/udp 49152:65535
No, because then you have mapped the entire dynamic portrange for NAT, which
means that the NAT-box itself could run out of dynamic ports, which is a
Really Bad Thing.
> What about ports being used by other applications in the range assigned
> in the mapping rule? (a real risk if private ports are being used!)
By "private" I assume you mean "<1024" ? This is a bad idea for multiple
reasons. For one thing, there are several servers which will check this, and
deny connections with an originating port < 1024. If you make such a mapping,
then don't blame anyone else.
> Will ipf/PF manage these events and try another port in the range?
Again, don't expect ipf/PF to cover up for a bad setup you're making.
Martijn van Buul - email@example.com - http://www.stack.nl/~martijnb/
Geek code: G-- - Visit OuterSpace: mud.stack.nl 3333
The most exciting phrase to hear in science, the one that heralds new
discoveries, is not 'Eureka!' (I found it!) but 'That's funny ...' Isaac Asimov