Date: Wed, 4 Feb 2015 08:13:00 -0700 From: Jason Lewis <me@sharktooth.org> To: lev@freebsd.org Cc: freebsd-ipfw@freebsd.org, Julian Elischer <julian@freebsd.org>, Ian Smith <smithi@nimnet.asn.au> Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny Message-ID: <CAF0mCGCiW7hTTx37PrAS3xXCGU3hyPzB1GLi6M6uCZhTtV-crw@mail.gmail.com> In-Reply-To: <54D21ADD.2090209@FreeBSD.org> References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au> <54D0A1AA.4080402@FreeBSD.org> <54D1AA60.4030907@freebsd.org> <54D1E4D4.10106@FreeBSD.org> <54D1FE72.1020508@freebsd.org> <20150204231922.X38620@sola.nimnet.asn.au> <54D2188D.5080800@FreeBSD.org> <54D21ADD.2090209@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The possible issue is is that once NAT changes the IP address and possibly the port number, state tracking can no longer be applied. AKA, the packet headers before the NAT is different than the packet headers after. This is why NAT needs to track the state instead of ipfw.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF0mCGCiW7hTTx37PrAS3xXCGU3hyPzB1GLi6M6uCZhTtV-crw>