Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Oct 2007 15:51:59 +0800
From:      "Nex Mon" <sugarfreemonkey@gmail.com>
To:        "Daniel Hartmeier" <daniel@benzedrine.cx>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: disabling implicit creation of state for NAT, BINAT and RDR
Message-ID:  <1fc8a2a60710240051l4a5744bawacf48c47276ccba4@mail.gmail.com>
In-Reply-To: <20071024065938.GA20387@insomnia.benzedrine.cx>
References:  <1fc8a2a60710232250i5954c8c3tc501ed4ec71dac80@mail.gmail.com> <20071024065938.GA20387@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 10/24/07, Daniel Hartmeier <daniel@benzedrine.cx> wrote:
>
> On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote:
>
> > hello, is there a way to disable implicit creation of states for NAT,
> BINAT
> > and RDR rules? the man page of pf.conf says this:
> >
> > Note: nat, binat and rdr rules implicitly create state for connections.
>
> Yes, translations require states.
>
> Imagine you have a connection from
>
>   Client      Gateway         External
>   10.1.2.3 -> 62.65.145.30 -> 69.147.83.33
>
> i.e. the client 10.1.2.3 sends a TCP SYN to external server
> 69.147.83.33. The NAT gateway replaces the source address with
> 62.65.145.30.
>
> Now the external server sends a TCP SYN+ACK back to 62.65.145.30.
> How would the gateway know that this packet is for 10.1.2.3, and needs
> the destination address translated back to 10.1.2.3, without a state
> entry?
>
> The state entry is the only part that holds this mapping information.


Are you saying there is only one type of state for all the filter, RDR, etc
rules? I have this understanding that NAT has its own translation table
where it keeps states of NAT sessions. So in the example above, the
only way to apply filter rules for translated (reply)packets would be at the
internal interface?

I'm curious about OpenBSD's implementation of "no state" which can be
applied to NAT, RDR, etc. Is there any chance this feature will be supported
in FreeBSD?

Daniel
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1fc8a2a60710240051l4a5744bawacf48c47276ccba4>