I have a firewall/router using nft. It connects to the outside world
with a single globally routeable IP address ('Real-IP').
I want to use the Real-IP both for NAT and for the firewall/router itself.
My understanding is that for tcp and udp:
* for private source IPs, I can configure SNAT to use one port
range, say 16384:65535.
* and I can, elsewhere, configure the firewall/router to use a
different range, say 0.16383, with no NAT required (inbound
or outbound).
But for ICMP queries, I cannot find equivalent settings to manage the
"Query Identifier".
It has occurred to me that the trick might be to SNAT all outbound ICMP
queries, something like:
.... ip protocol ICMP ip saddr 203.0.113.1 snat to 203.0.113.1
.... ip protocol ICMP ip saddr 10.0.0.0/8 snat to 203.0.113.1
where 203.0.113.1 is the Real-IP. I'm guessing NATing the source address
to itself is OK... yes ?
------------------------------------------------------------
Separately: where should I look to find the degree of conformance to the
various "NAT Behavioural Requirements": RFCs 4787, 5382, 5508 and 7857 ?
------------------------------------------------------------
Thanks,
Chris
