Date: Fri, 17 Jan 2020 16:53:33 +0100 From: "Lutz Donnerhacke" <lutz@donnerhacke.de> To: "'Paul Procacci'" <pprocacci@gmail.com>, <freebsd-ipfw@freebsd.org> Subject: AW: Stateful NAT w/ record-state Message-ID: <008201d5cd4e$45e49890$d1adc9b0$@donnerhacke.de> In-Reply-To: <CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ@mail.gmail.com> References: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com> <CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > In Kernel Nat/Firewall > > /---------------------\ > > +--------+ +-------+ +-----+ +-------+ +-------+ > > | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | > > +--------+ +-------+ +-----+ +-------+ +-------+ > > > > Requests originate from "client", come in via "igb0", get passed to "nat", > > leave "igb1" reaching host .... no problem. > > > > 03000 nat 1 ip from any to any out via igb0 Jup. > > The response leaving "host", come in via "igb1", get passed to "nat", and > > get clobbered by ipfw's deny rule (see below). > > > > 50100 nat 1 ip from any to me in via igb0 igb1 != igb0 I'd suggest to apply nat any traffic on igb1 in both direction. So routing is much easier (you never see the public NAT IP).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008201d5cd4e$45e49890$d1adc9b0$>