On Tue, Oct 11, 2005 at 03:54:21PM +0400, Artemiev Igor wrote: > On Tue, 11 Oct 2005 05:37:48 -0500 > "Travis H." <[EMAIL PROTECTED]> wrote: > > Oh, also another thing; do you initialize table <locals> somewhere? > > If it is empty, nothing will match NAT rule. > NAT state didn`t match, i see it by pfctl -vs state and packet dropped. > Consequently, nat is not working without an explicit rule for incoming > traffic lan->internet on $lanif, and incoming internet->lan on $extif, > in spite of created state and "pass" existing in nat rule. Why is that > so?
Because a state entry does not allow a packet to pass _through_ the firewall, but only to pass on one interface (the interface the state was created on), in general. Imagine a case where you have three interfaces. You want to allow a particular connection to pass only between two of those interfaces, but never through the third. If a state entry would be a free ticket through the entire firewall, you wouldn't be able to enforce this. Create state on both interfaces, you'll end up with two states per connection, and it'll work. Daniel _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
