Rabellino Sergio wrote: > Dear list, > when listing the current nat mappings with ipnat -l, I got listed > some mappings that are very old (more than 30 minutes), even if the > generating host is physically unplugged from the network (I did it to > test this behaviour).
For TCP, NAT sessions are expired using the same mechanism as stateful filtering, so that if IPFilter sees the start of a connection (SYN, SYN-ACK, etc) then it needs to see the close (FIN, etc) in order to remove it correctly. > I've changed the value in ip_nat.h > > #define DEF_NAT_AGE 120 > > then compile/uninstall/install You don't need to do that (and it won't affect TCP.) You can just put "age 120/120" on the end of your "map" rules. Darren
