On ott 13 12:08, Martin Husemann wrote: > With above routing table this should already happen - no concrete local subnet > matching, so it will pick "default".
Yes, I tried and it does! > > With a routing table > > entry, or with a rule (the `pass stateful out all' in soho_gw-npf.conf) > > in npf? > > That rule does not change routing, it just allows the packet to go out, > and also creates a NAT state entry so any answers are allowed back in. I checked npf.conf(5) and also <http://rmind.github.io/npf/configuration.html> but I wasn't able to determine this. Thank you, it is exactly as you said: I tried with ssh, ping and also a random client/server communication in a random port with nc(1). > In general it is best to get packet flow working first and then start caring > about filtering, but with NAT this is tricky. Why is this tricky with NAT? Because when a request exits from the gateway, it exits from a port determined by the NAT, but when the answer gets back to the gateway, it is hard to recognize it? I still can't figure it out. If you think there's a better way, let me know. Also, so far, I still didn't try with the `map' keyword in npf.com (which I thought was the only way to perform NAT). Thanks a lot! Rocky
