From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 06:59:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5A3916A417 for ; Wed, 24 Oct 2007 06:59:40 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 95D1913C4B5 for ; Wed, 24 Oct 2007 06:59:40 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l9O6xdTS029031 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 24 Oct 2007 08:59:39 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l9O6xc2M020665; Wed, 24 Oct 2007 08:59:38 +0200 (MEST) Date: Wed, 24 Oct 2007 08:59:38 +0200 From: Daniel Hartmeier To: Nex Mon Message-ID: <20071024065938.GA20387@insomnia.benzedrine.cx> References: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: disabling implicit creation of state for NAT, BINAT and RDR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 06:59:41 -0000 On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > hello, is there a way to disable implicit creation of states for NAT, BINAT > and RDR rules? the man page of pf.conf says this: > > Note: nat, binat and rdr rules implicitly create state for connections. Yes, translations require states. Imagine you have a connection from Client Gateway External 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 i.e. the client 10.1.2.3 sends a TCP SYN to external server 69.147.83.33. The NAT gateway replaces the source address with 62.65.145.30. Now the external server sends a TCP SYN+ACK back to 62.65.145.30. How would the gateway know that this packet is for 10.1.2.3, and needs the destination address translated back to 10.1.2.3, without a state entry? The state entry is the only part that holds this mapping information. Daniel