1

I'm testing NAT penetration code and need a symmetric NAT. I have configured FreeBSD with PF, very simple rule:

# rl0 in WAN on DHCP, sk0 is LAN with computers behind this NAT.
nat on rl0 from sk0:network to any -> (rl0)

This works great, NAT is symmetric for UDP packets, but, unfortunately, outgoing port number is random for each packet to different destination. Is it a way to configure PF so ports will be not random, but kind of incremental? For example, UDP packet to host A will get outgoing UDP port number 50000, UDP packet to host B will get port number 50001, to host C 50002 etc?

grigoryvp
  • 3,655
  • 11
  • 39
  • 59

2 Answers2

1

The static-port option should do what you want.

With nat rules, the static-port option prevents pf(4) from modifying the source port on TCP and UDP packets.

Thus giving you a rule of.

nat on rl0 from sk0:network to any -> (rl0) static-port

I'm curious as to why you would want to do this though. Port randomisation isn't such a bad thing and can go some way to protecting vulnerable protocols. Like the Kaminsky DNS issues of last year, for example.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70
  • This will force port to be always the same for single computer behind NAT :(. So this effectively degrades symmetric nat to cone nat. Is it any way not to make port static, but just to change the way port is generated? (from random to incremental) – grigoryvp Sep 21 '09 at 10:14
  • It's not a configuration feature and I think you'd have a hard time convincing PF's authors that it's a good thing to have. PF is of course BSD licensed though, so there's always the DIY avenue. – Dan Carley Sep 21 '09 at 10:34
  • Maybe you know any other software NAT for unix/linux/windows that can create "symmetric nat" with incremental outgoing port assignment? ^_^ – grigoryvp Sep 21 '09 at 10:40
0

Just a guess, but you can try 

# sysctl net.inet.ip.portrange.randomized=0
SaveTheRbtz
  • 5,691
  • 4
  • 32
  • 45