On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote: > hello, is there a way to disable implicit creation of states for NAT, BINAT > and RDR rules? the man page of pf.conf says this: > > Note: nat, binat and rdr rules implicitly create state for connections.
Yes, translations require states. Imagine you have a connection from Client Gateway External 10.1.2.3 -> 62.65.145.30 -> 69.147.83.33 i.e. the client 10.1.2.3 sends a TCP SYN to external server 69.147.83.33. The NAT gateway replaces the source address with 62.65.145.30. Now the external server sends a TCP SYN+ACK back to 62.65.145.30. How would the gateway know that this packet is for 10.1.2.3, and needs the destination address translated back to 10.1.2.3, without a state entry? The state entry is the only part that holds this mapping information. Daniel _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
