There are a few specifics regarding the outbound NAT functionality in m0n0 which I'm a little unsure about, and would like to understand better;
Firstly, take a look at some of the rules pulled from the ipnat status:
map re1 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map re1 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp 1024:64535
map re1 192.168.0.0/24 -> 0.0.0.0/32
map re1 192.168.0.10/32 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map re1 192.168.0.10/32 -> 0.0.0.0/32
map re1 192.168.0.10/32 -> 0.0.0.0/32 portmap tcp/udp 1024:64535
Now, this works fine, in that the .10 host has the 'avoid port mapping' option set, however the general subnet rule also technically applies to this host, and even appears first in the list, so why is the rule honoured? There is no way to move the rules like in the firewall so it's apparently not order-based - is it down to which rule is more specific?
Secondly, I can think of a scenario which could break certain functionality, if I understand this correctly, on something like Xbox Live which is a good example of a service which needs a non-altered source port to achieve 'open' NAT. What would happen if port 3074 was already randomly assigned to other traffic present on the network when the console came online? Presumably the Xbox would be assigned a random port, at least until the previous NAT state occupying 3074 expired? Does the non-portmap rule carry any sort of priority, i.e would the existing rule be expired ASAP, or would it just have to expire as normal?
On that subject the above, unless I'm overlooking something, there doesn't seem to be a way to alter the mapped port range used by ipnat from the m0n0wall interface? Would this not be a useful (perhaps hidden/advanced) option in specific cases?
Thanks for reading!
Topic: Portmap + Outbound NAT