Re: [fw-wiz] NAPT - NAT Port selection

From: Harald Welte (
Date: 08/24/04

  • Next message: hermit921: "[fw-wiz] VPN endpoints"
    Date: Tue, 24 Aug 2004 11:54:19 +0200

    On Fri, Aug 20, 2004 at 09:05:37AM +0530, wrote:

    > Internally, among developers, we discussed this issue and we came out with
    > one suggestion - Reusage of NAT port in multiple sessions, as long as
    > atleast one of 5 tuples is different - Since source IP is same (public IP
    > address), destination IP or destination port has to be different.

    yes, this is what every linux 2.4.x and linux 2.6.x based system does
    (linux-2.4 and 2.6 use netfilter/iptables (

    > I solicit your feedback on this.
    > - Is it good for NAPT device to use same NAT port for different
    > sessions, if they are going to different destination (based on
    > Destination IP and Port)? Do you see any problems associated with
    > this apart one mentioned above?

    It is questionable whether it is 'good'. I (as one of the netfilter
    authors) think it is good as in
            - tries to preserve port numbers as much as possible and not
              make applications relying on portnumber persistency break
            - minimun use of ressources (i.e. more than 64k sessions).

    However, there is a group working on a NAT Behaviour draft within the
    IETF that discourages this (they call it 'port overloading'), since it
    creates less deterministic behaviour.

    > - Any experiences?

    no problems whatsoever. Please keep in mind the number of linux
    installations, especially in embedded devices sold as WLAN and DSL

    > Thanks in advance
    > Ravi

    - Harald Welte <>   
      "Fragmentation is like classful addressing -- an interesting early
       architectural error that shows how much experimentation was going
       on while IP was being designed."                    -- Paul Vixie

    firewall-wizards mailing list

  • Next message: hermit921: "[fw-wiz] VPN endpoints"