Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Oct 2002 20:16:51 -0400 (EDT)
From:      Andriy Gapon <>
Subject:   Re: Natd plus statefull connections impossible? (revisited)
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

Revisiting this issue, here are 2 ideas that I have encountered:

1. since NAT is a stateful process in its own self, you usually don't want
to have stateful rules for packets that were successfully translated to
destine to your private network. It is easy quite to construct rules that
divert proper packets to natd and allow 'natd recognized' packets
immediately after divert rule(s). You can put other rules (e.g. stateful
rules for gateway itself) after you are done with translated packets. This
has added benefit in the case you use natd redirect_*, since you won't
need to have a special matching ipfw rule for each redirect_* option.

2. or, you can use this quite elegant ruleset utilizing skipto rule
the page is in Russian, but rules are in ipfw-ish :-) and each has a
comment in English.

Decide for yourself, do you trust natd and could use a tiny perfomance
benefit, or you want to be as secure as possible double-checking natd with

Andriy Gapon
"Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love"

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>