On 2007/06/13 11:12, Geraerts Andy wrote:
> Brian,
>
> Despite the fact that I get tons of State Failures I see this strange message
> :
>
> Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
> failed
>
> Can this be the cause of my errors?
Yes, you have run out of available ports to NAT from.
The straightforward answer is to NAT from a larger pool of addresses
i.e. nat ... -> { 1.1.1.1, 2.2.2.2, 3.3.3.0/24}
The 50001:65535 range is set in /usr/src/sbin/pfctl/pfctl_parser.c
(PF_NAT_PROXY_PORT_LOW and ..._HIGH) which might give some opportunity
to shoot yourself in the foot (especially if you don't bother to make
related changes to sysctl net.inet.ip.port* to keep some hiports free
for connections from the box itself).
