In PF the default behaviour of `nat-to` is to overwrite the source port of the outgoing packet with a random unused port number. You can specify `static-port` to preserve the source port number.
In IPTables the default behaviour of the MASQUERADE and SNAT policies is to try and preserve the source port of the outgoing packet and use a different source port only if there is a collision with an existing state. You can pass the NF_NAT_RANGE_PROTO_RANDOM flag with the IPTables rule to force the source port of the outgoing packet to be randomized. OpenBSD/PF defaults to randomizing the source port whereas Linux/IPTables defaults to trying to keep the source port. My question is if there was/is a practical reason for defaulting to randomizing source ports in OpenBSD/PF? The change which added the mechanism for source port preservation doesn't have much rationale: https://github.com/openbsd/src/commit/e4b041898d4044a2527ac22b7222d899bde76ebf#diff-a86f8031e805e610e5ee413eda428149aad945e9dc148b909a9f3b2bf8402d01R1413 I have found that preserving the source port if possible works better out of the box when hosting publicly accessable UDP applications within a private network. Randomizing the source port of UDP replies will most likely cause the reply to be blocked by the requestor's network. Of course you can create a PF rule for your UDP application with `static-port`, but it requires a more in depth understanding of how NAT and UDP applications interact to get it to work. One possible advantage of randomizing source ports is that it helps prevent fingerprinting of the devices behind the NAT? Are there any other reasons? Thanks! Elias
