On 05Apr2013 11:34, Daniel Hartmeier wrote:
| On Fri, Apr 05, 2013 at 07:03:52PM +1100, Cameron Simpson wrote:
| > I was imagining NATing on an internal virtual interface to a private
| > address on some kind of internal virtual interface; this might keep
| > the necessary state without
ld then have a free hand internally.
| Sounds similar to what was done to ignore the great firewall of China,
| see http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf :)
Sounds almost identical to what they did there! Thanks for the paper;
an interesting read.
Thanks,
--
Cameron Simpson
I thought back
a rule like:
pass in quick on $if_nat matching states
after the prefiltering, to do PF's usual match-states-first at that
point, with the conventional rules following.
Suggestions welcomed!
Cheers,
--
Cameron Simpson
Japanese phrase for the day: ikajanai ``(lit.) I am not a squid'&
