On Tue, Dec 1, 2015, at 10:50, el...@sentor.se wrote: > > Not that this helps this thread to move on, but just to clarify: > > In this case, the NAT that would introduce the randomized src port would > be *your* NAT, not a NAT at pool.ntp.org. > > > Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in > via gif0 > > The blocked response came from port 123 just as expected. > > If the client truly sent out a query from src port 123, then it must have > been your NAT that picked a free random port to use for its outgoing > connection, i.e. port 58285. > The server then respond back to your NAT-IP 2001:470:1f11:1e8::2 at port > 58285. > Your NAT should receive the packet, match it against its NAT table, find > that it has indeed an ongoing UDP connection for that particular flow, so > it rewrites the dst IP and dst port to your original internal IP address > and original port (123) and send it back to the client. > > /Elof >
There's no NAT involved with my IPv6. -- Mark Felder ports-secteam member f...@freebsd.org _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
