disabling implicit creation of state for NAT, BINAT and RDR
Daniel Hartmeier
daniel at benzedrine.cx
Tue Oct 23 23:59:41 PDT 2007
On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote:
> hello, is there a way to disable implicit creation of states for NAT, BINAT
> and RDR rules? the man page of pf.conf says this:
>
> Note: nat, binat and rdr rules implicitly create state for connections.
Yes, translations require states.
Imagine you have a connection from
Client Gateway External
10.1.2.3 -> 62.65.145.30 -> 69.147.83.33
i.e. the client 10.1.2.3 sends a TCP SYN to external server
69.147.83.33. The NAT gateway replaces the source address with
62.65.145.30.
Now the external server sends a TCP SYN+ACK back to 62.65.145.30.
How would the gateway know that this packet is for 10.1.2.3, and needs
the destination address translated back to 10.1.2.3, without a state
entry?
The state entry is the only part that holds this mapping information.
Daniel
More information about the freebsd-pf
mailing list