From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 08:39:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 282A737B401 for ; Thu, 10 Apr 2003 08:39:29 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D6B343FB1 for ; Thu, 10 Apr 2003 08:39:28 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 89859 invoked from network); 10 Apr 2003 15:39:25 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 10 Apr 2003 15:39:25 -0000 Message-ID: <3E95902B.8030607@tenebras.com> Date: Thu, 10 Apr 2003 08:39:23 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: "Earl A. Killian" References: <16021.30488.437183.530248@sax.killian.com> In-Reply-To: <16021.30488.437183.530248@sax.killian.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: nat vs. state X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 15:39:29 -0000 Earl A. Killian wrote: > Is it safe to assume packets diverted to NAT are "safe" and don't need > further checking? In particular, can the use of dynamic/stateful > rules be skipped for NAT packets? It seems so, because NAT is already > stateful. Safe? Define "safe." ;-) For *dynamic* nat, probably so. For static nat (port/addr redirect) you'll probably want to have robust rules after diverting to natd.