netbsd-users: Re: what is the NAT ports range for mapping one network?

Subject: Re: what is the NAT ports range for mapping one network?
To: None <netbsd-users@netbsd.org>
From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
List: netbsd-users
Date: 10/05/2005 14:25:06
Sorry for the way I am replying to this email.  I am not subscribed
to this mailing list but I will send a cc to me.

Thanks a lot, Jonathan and Martijn, for your detailed answers.
I really appreciate them.

From both replies (I believe that there are no more replies at this
time) I understand that a ports range reserved for NAT cannot
be used for other purposes.  Briefly, Jonathan writes that "ports
just under 65535 should be avoided" (not exact wording) and
Martijn says that

  map fxp0 192.168.2.0/24 -> 10.0.0.5/32 portmap tcp/udp 49152:65535

will map the entire dynamic portrange for NAT.  From these answers
I understand that the port range is fully reserved for NAT and
cannot be used for other purposes.  I supposed that it was the range
where ports would be opened for NAT, but that other services can
open ports on that range at same time.  In other words, I supposed
that a "translated address" was something comparable to "starting a
new client" on the NAT router.  It seems now that these ports are
not allocated by the operating system in the same way other dynamic
(private) ports are.

I fully agree about not using something below 1024.  In fact, there
are three standard port ranges documented in RFCs:

   ports range     known as           used by
  --------------- ------------------ -------------------------------------
       0 - 1023    well-known ports   system daemons to listen for client
                                      connections (e.g., telnet, ftp, ssh,
                                      finger...)
    1024 - 49151   registered ports   applications (these ports are assigned
                                      by IANA) (e.g., X11 uses ports from
                                      6000 up to 6063)
   49152 - 65535   dynamic/private    used by clients to establish a
                   ports              connection to a server

I suppose that, in any case, NAT ports should not be allocated under
49152.  Certainly, there are huge holes in the IANA assignments
(hopefully we are not running out of ports yet!!!) but that does not
mean that we can freely use these ports.  In fact, I believe that it
is better not using them at all.

Let me outline an example.  If we choose 5000:10000 as range, there is
a risk of port number 6000 being allocated before the first X server
is running.

For "dangerous" I mean allocating ports that will *not allow* services
to start, I am not refering to security concerns (in fact, NetBSD is
probably one of the most secure operating systems these days, with
all ports closed by default on public interfaces).  Allocating
port number 6000 before the first X server starts (or 6001 before
the second one starts) would be a not obvious problem, difficult
to discover before it happens.

For me, private/dynamic ports all these over 49151.

Now, it is clear that when a port range is provided for mapping
addresses, we cannot use ports in that range for other purposes.

Just a theoretical question, I will build a NAT router in a week
or so for personal use and wanted to make sure the port range
was right.  I was surprised to see ports below 49152 allocated
for address mapping in the examples.

Cheers,
Igor.