On Sat, Jul 26, 2003 at 08:29:35PM -0700, Bryan Irvine wrote: > Is there a way to get pf to never use specific ports? For example a > client on my LAN might send a request for a certain webpage which gets > sent to the gateway from a certain port we'll say, 43101. The Request > hits the gateway and then get's changed to another source port like > 12754. The problem is that 12754 will trigger a false postive in snort > that someone is scanning for a ddos mstream client handler. How (if > possible) can you create a list of ports than will never be used by pf?
The default proxy port range used by pf is 50001-65535, so it won't use 12754. You can change the proxy port range like this nat on $extif from 10.0.0.0/8 to any -> $extif port 20000:30000 which would cause pf to use proxy ports 20000-30000 for connections matching this rule. Why are you running snort on the external interface, and not the internal one? It's an intrusion detection system, and packets that don't pass your firewall don't constitute an intrusion... Daniel
