Date: Wed, 12 Oct 2005 19:59:37 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Artemiev Igor <ai@bmc.brk.ru> Cc: freebsd-pf@freebsd.org Subject: Re: NAT states Message-ID: <20051012175937.GA2605@insomnia.benzedrine.cx> In-Reply-To: <20051011155421.4e3b69cb.ai@bmc.brk.ru> References: <20051011121205.4dfa7cf2.ai@bmc.brk.ru> <d4f1333a0510110336r71fae318w2d420a647a2e9c4b@mail.gmail.com> <d4f1333a0510110337rd8ce894qd45b285c1715f9c3@mail.gmail.com> <20051011155421.4e3b69cb.ai@bmc.brk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 11, 2005 at 03:54:21PM +0400, Artemiev Igor wrote: > On Tue, 11 Oct 2005 05:37:48 -0500 > "Travis H." <solinym@gmail.com> wrote: > > Oh, also another thing; do you initialize table <locals> somewhere? > > If it is empty, nothing will match NAT rule. > NAT state didn`t match, i see it by pfctl -vs state and packet dropped. > Consequently, nat is not working without an explicit rule for incoming > traffic lan->internet on $lanif, and incoming internet->lan on $extif, > in spite of created state and "pass" existing in nat rule. Why is that > so? Because a state entry does not allow a packet to pass _through_ the firewall, but only to pass on one interface (the interface the state was created on), in general. Imagine a case where you have three interfaces. You want to allow a particular connection to pass only between two of those interfaces, but never through the third. If a state entry would be a free ticket through the entire firewall, you wouldn't be able to enforce this. Create state on both interfaces, you'll end up with two states per connection, and it'll work. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051012175937.GA2605>