Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
net-harry
Collaborator

Hide-NAT ports

Hi,

We are updating ACLs on our Internet facing routers and would like to restrict inbound traffic to the IP addresses of the hide-NAT entries.

From what I can see in the following URL, hide-NAT uses port 600-1023, 10,000-60,000 and 60,001-65,000.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


Could someone please confirm if this information is up to date and ideally give more information when/if the low ports (600-1023) and extra ports (60001-65000) are needed?

I would also like to know if these ports are used for both UDP and TCP connections or only for TCP. The main outbound UDP services that we are using are DNS and NTP, plus audio/video.

Please find below a sample ACL for inbound reply traffic for the hide-NAT address (x.x.x.x). Ideally we would like to restrict it further if possible.

permit tcp any host x.x.x.x range 600 1023
permit tcp any host x.x.x.x range 10000 65000
permit udp any host x.x.x.x range 600 1023
permit udp any host x.x.x.x range 10000 65000


We are running R80.20 on the security gateways and R80.40 on the management servers.

Thanks for your help!

Harry

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Not sure why this post got flagged for spam.
In general, the port ranges depend on the original source port of the traffic in question.
Ports below 1024 are considered "privileged" ports in Linux and any traffic (TCP/UDP) that has a source port below 1024 will have HIDE NAT apply a source port in that range.
The 60001-65000 ports are used specifically for services/features that are not CoreXL friendly.
This was an issue in legacy versions and it's most not relevant in R80.20 (but could be wrong).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events