disabling implicit creation of state for NAT, BINAT and RDR
Nex Mon
sugarfreemonkey at gmail.com
Wed Oct 24 00:52:12 PDT 2007
On 10/24/07, Daniel Hartmeier <daniel at benzedrine.cx> wrote:
>
> On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote:
>
> > hello, is there a way to disable implicit creation of states for NAT,
> BINAT
> > and RDR rules? the man page of pf.conf says this:
> >
> > Note: nat, binat and rdr rules implicitly create state for connections.
>
> Yes, translations require states.
>
> Imagine you have a connection from
>
> Client Gateway External
> 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33
>
> i.e. the client 10.1.2.3 sends a TCP SYN to external server
> 69.147.83.33. The NAT gateway replaces the source address with
> 62.65.145.30.
>
> Now the external server sends a TCP SYN+ACK back to 62.65.145.30.
> How would the gateway know that this packet is for 10.1.2.3, and needs
> the destination address translated back to 10.1.2.3, without a state
> entry?
>
> The state entry is the only part that holds this mapping information.
Are you saying there is only one type of state for all the filter, RDR, etc
rules? I have this understanding that NAT has its own translation table
where it keeps states of NAT sessions. So in the example above, the
only way to apply filter rules for translated (reply)packets would be at the
internal interface?
I'm curious about OpenBSD's implementation of "no state" which can be
applied to NAT, RDR, etc. Is there any chance this feature will be supported
in FreeBSD?
Daniel
>
More information about the freebsd-pf
mailing list