I'm testing NAT penetration code and need a symmetric NAT. I have configured FreeBSD with PF, very simple rule:
# rl0 in WAN on DHCP, sk0 is LAN with computers behind this NAT.
nat on rl0 from sk0:network to any -> (rl0)
This works great, NAT is symmetric for UDP packets, but, unfortunately, outgoing port number is random for each packet to different destination. Is it a way to configure PF so ports will be not random, but kind of incremental? For example, UDP packet to host A will get outgoing UDP port number 50000, UDP packet to host B will get port number 50001, to host C 50002 etc?
Best Answer
The
static-port
option should do what you want.Thus giving you a rule of.
I'm curious as to why you would want to do this though. Port randomisation isn't such a bad thing and can go some way to protecting vulnerable protocols. Like the Kaminsky DNS issues of last year, for example.