Hi, > ...configure the firewall/router to use a different range You do not need to allocate a different range, per se; the port selection algorithm of the kernel will only use a port if it is not already in use. For LAN to WAN forwarded connections; you should SNAT the local port of most requests to the range 49152-65535, and the address to an available or appropriate 'public IP' (appears to be 203.0.113.1). Requirements may be different as defined by the network administrator for your LAN or a MAN/Intranet. Refer to IANA Service Name and Transport Protocol Port Number Registry for a description of ephemeral/private/dynamic ports; and why you may wish to avoid the 'System' and 'User' port range for local ports. There are exceptions: NTP is static 123<->123; do not blindly NAT everything. > ICMP "Query Identifier" May you explain this one in more detail? I'm unfamiliar with an ICMP Query Identifier. > SNAT all outbound ICMP queries, something like: > > .... ip protocol ICMP ip saddr 203.0.113.1 snat to 203.0.113.1 This SNAT is not neccessary and will only load the router for not much gain. It may be neccesary if you were attempting to alter the port: though, if you wish for the router to use a different port range across the board; you can simply change the "net.ipv4.ip_local_port_range" via `# sysctl -w net.ipv4.ip_local_port_range="low high"` where low and high are the lower and upper bounds of the port range. To adhere to IANA recommendations: `sudo sysctl -w net.ipv4.ip_local_port_range="49152 65535"` or `su -l root && sysctl -w net.ipv4.ip_local_port_range="49152 65535"` or something that adheres to your SELinux policy. I am unsure of how to make these edits persistent (they revert after a reboot with no further interaction); you may need to recompile the kernel to do so. Looks like `man sysctl` mentions `/etc/sysctl.d/*.conf` files: these may be of use also. As for: > where should I look to find the degree of conformance to the various "NAT Behavioural Requirements"... I am unsure. I am hoping for "Address and Port-Dependent Mapping". I believe the best way to check is to make some connections in a test environment and observe tshark / wireshark logs. If you were looking for a 'NAT Connection State' table; I am unsure. You could browse the likes of VyOS source code (I think it is available!). If you can't use tshark / wireshark, try the TCP and UDP tables in `/net/tcp` and `/net/udp`. sunny
