On Sat, Jul 05, 2003 at 12:08:50PM -0400, D. Andrews wrote: > | sysctl -w net.inet.tcp.baddynamic=+6881 [through +6889] > > when pf comes up? netstat doesn't show any listeners at ports > 6881-6889, so I wonder what mechanism is encumbering those ports (if > any)?
pf is not preventing anything from binding to those ports, so if you expect a daemon to try that, you might want to add the ports to baddynamic, yes. There's two different cases: - a daemon is binding a listening socket to one of those ports, it would never get a connection due to the redirection. Since you're supposed to know what services you run on your firewall (if any at all), that's not a matter of guessing or chance. For instance, ftpd will not listen on that port range for passive mode data connections, unless you change the defaults. - if, by chance, the firewall would pick one of those ports as source port for an outgoing connection to the same external host and port that's already established a redirected connection, pf wouldn't be able to distinguish the connections and drop packets of the second connection (as would the external peer, if pf would pass both connections). I doubt anyone has suffered the second case by mere chance, you'd have to manually bind to a specific source port (or use a small NAT proxy port range) to trigger it. But if you have specific circumstances that make this more likely (or are just paranoid :), add the ports to baddynamic. Daniel
