Is there a way to get pf to never use specific ports? For example a client on my LAN might send a request for a certain webpage which gets sent to the gateway from a certain port we'll say, 43101. The Request hits the gateway and then get's changed to another source port like 12754. The problem is that 12754 will trigger a false postive in snort that someone is scanning for a ddos mstream client handler. How (if possible) can you create a list of ports than will never be used by pf?
# sysctl -w net.inet.tcp.baddynamic=749,750,751,760,761,871
But you might be searching for sysctl -w net.inet.ip.portfirst=1024 sysctl -w net.inet.ip.portlast=49151 sysctl -w net.inet.ip.porthifirst=49152 sysctl -w net.inet.ip.porthilast=65535
PF actually runs independent of the IP stack, and so ignores all of those. They only affect local processes.
The downside of ignoring everything the stack does is that you can get some interesting collisions at times...
