Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2003 08:39:23 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        "Earl A. Killian" <earl@killian.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: nat vs. state
Message-ID:  <3E95902B.8030607@tenebras.com>
In-Reply-To: <16021.30488.437183.530248@sax.killian.com>
References:  <16021.30488.437183.530248@sax.killian.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Earl A. Killian wrote:
> Is it safe to assume packets diverted to NAT are "safe" and don't need
> further checking?  In particular, can the use of dynamic/stateful
> rules be skipped for NAT packets?  It seems so, because NAT is already
> stateful.

Safe?  Define "safe." ;-)

For *dynamic* nat, probably so.  For static nat (port/addr redirect)
you'll probably want to have robust rules after diverting to natd.





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?3E95902B.8030607>