why would pf change the udp destination port?

[fjoesne]

I've set up an openvpn gateway at home that I can access from home. however there are some problems with a a specific connection. I've tried debugging this with tcpdump but I cannot know what happens within the pf process. Here is the problem:

The following demonstrates how destination port goes from 64204 to 9000, also notice what happens when I reinstate the pf ruleset. If I reset and start the connection again, it goes back to changing the destination port.

The following is a tcpdump after the NAT:

7:06:41.000640 IP (tos 0x0, ttl 112, id 4302, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.9000: UDP, length 24
07:06:43.062883 IP (tos 0x0, ttl 112, id 7579, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.9000: UDP, length 24
07:06:45.078621 IP (tos 0x0, ttl 112, id 9871, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.9000: UDP, length 24
07:06:47.078570 IP (tos 0x0, ttl 112, id 11407, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.9000: UDP, length 24
07:06:49.078712 IP (tos 0x0, ttl 112, id 19806, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.9000: UDP, length 24

[cmd=]bash# sh /etc/rc.d/pf restart[/cmd]

07:06:51.125601 IP (tos 0x0, ttl 112, id 22280, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.64204: UDP, length 24
07:06:53.141239 IP (tos 0x0, ttl 112, id 25265, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.1.11.64204: UDP, length 24
07:06:54.547700 IP (tos 0x0, ttl 112, id 26308, offset 0, flags [none], proto UDP (17), length 56)
    74.201.102.232.9000 > 192.168.1.11.64204: UDP, length 28

This is a tcpdump done on the device before the NAT:

07:06:41.000622 IP (tos 0x0, ttl 113, id 4302, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:43.062865 IP (tos 0x0, ttl 113, id 7579, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:45.078602 IP (tos 0x0, ttl 113, id 9871, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:47.078551 IP (tos 0x0, ttl 113, id 11407, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:49.078693 IP (tos 0x0, ttl 113, id 19806, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:51.125578 IP (tos 0x0, ttl 113, id 22280, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:53.141162 IP (tos 0x0, ttl 113, id 25265, offset 0, flags [none], proto UDP (17), length 52)
    74.201.102.232.9000 > 192.168.0.10.64204: UDP, length 24
07:06:54.547681 IP (tos 0x0, ttl 113, id 26308, offset 0, flags [none], proto UDP (17), length 56)

pf.conf:

scrub in all
nat on nfe0 from 192.168.1.0/24 to any -> (nfe0) round-robin sticky-address
binat on nfe0 from 74.201.102.232 to 192.168.0.10 -> 192.168.1.11

 

[fbsd1]

What you are seeing is the normal way things work.
PF is not doing anything to the port number.
If you want to understand the internals of the process get your self a book on networking.

 

[SirDice]

PF is not doing anything to the port number.

Exactly. Look closely at the destination port before and after the NAT. You'll see they are the same.