Date: Wed, 12 Oct 2005 19:59:37 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Artemiev Igor <ai@bmc.brk.ru> Cc: freebsd-pf@freebsd.org Subject: Re: NAT states Message-ID: <20051012175937.GA2605@insomnia.benzedrine.cx> In-Reply-To: <20051011155421.4e3b69cb.ai@bmc.brk.ru> References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> <d4f1333a0510110336r71fae318w2d420a647a2e9c4b@mail.gmail.com> <d4f1333a0510110337rd8ce894qd45b285c1715f9c3@mail.gmail.com> <20051011155421.4e3b69cb.ai@bmc.brk.ru>
index | next in thread | previous in thread | raw e-mail
On Tue, Oct 11, 2005 at 03:54:21PM +0400, Artemiev Igor wrote: > On Tue, 11 Oct 2005 05:37:48 -0500 > "Travis H." <solinym@gmail.com> wrote: > > Oh, also another thing; do you initialize table <locals> somewhere? > > If it is empty, nothing will match NAT rule. > NAT state didn`t match, i see it by pfctl -vs state and packet dropped. > Consequently, nat is not working without an explicit rule for incoming > traffic lan->internet on $lanif, and incoming internet->lan on $extif, > in spite of created state and "pass" existing in nat rule. Why is that > so? Because a state entry does not allow a packet to pass _through_ the firewall, but only to pass on one interface (the interface the state was created on), in general. Imagine a case where you have three interfaces. You want to allow a particular connection to pass only between two of those interfaces, but never through the third. If a state entry would be a free ticket through the entire firewall, you wouldn't be able to enforce this. Create state on both interfaces, you'll end up with two states per connection, and it'll work. Danielhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051012175937.GA2605>