Date: Wed, 24 Oct 2007 08:59:38 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Nex Mon <sugarfreemonkey@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: disabling implicit creation of state for NAT, BINAT and RDR Message-ID: <20071024065938.GA20387@insomnia.benzedrine.cx> In-Reply-To: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> References: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > hello, is there a way to disable implicit creation of states for NAT, BINAT > and RDR rules? the man page of pf.conf says this: > > Note: nat, binat and rdr rules implicitly create state for connections. Yes, translations require states. Imagine you have a connection from Client Gateway External 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 i.e. the client 10.1.2.3 sends a TCP SYN to external server 69.147.83.33. The NAT gateway replaces the source address with 62.65.145.30. Now the external server sends a TCP SYN+ACK back to 62.65.145.30. How would the gateway know that this packet is for 10.1.2.3, and needs the destination address translated back to 10.1.2.3, without a state entry? The state entry is the only part that holds this mapping information. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071024065938.GA20387>