Date: Wed, 21 May 2008 03:38:47 -0500 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: nat pass and state Message-ID: <20080521083846.GB5072@verio.net> In-Reply-To: <48337A93.9090003@highperformance.net> References: <48337A93.9090003@highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason C. Wells <jcw@highperformance.net> wrote: > > Would someone please explain why the nat rule is not sufficient to > allow me to access a web page? I must have a gross conceptual error > on how PF works. This is too simple, but I just don't get it. The first packet arrives on $int_if and is blocked by "block in all". It never has a chance to route to $ext_if, and thus never matches the nat rule. The "nat pass" does not apply because the initial packet is not arriving on $ext_if so it can't match the rule (yet). You have to allow the connection in on $int_if first, then when it routes out $ext_if it will match the nat rule and set up state. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIM9+WFSrKRjX5eCoRAjWPAJ9+rZ6aqUVEEiRulw+nQD2swM84QACcDE5e x0MSmBXcgbFqPmUkjRIAO60= =bzw3 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080521083846.GB5072>