Hi, As characterized by C. Huitema of Microsoft in http://www.ietf.org/internet-drafts/draft-ietf-ngtrans-shipworm-05.txt (IPv6 tunnels through NAT's using UDP), there are basically 4 kinds of NAT's wrt. how strictly they check the incoming packets to "allocated" NAT ports:
--8<-- Experience shows that the implementers of NAT products can adopt widely different treatments of UDP mappings: 1) Some implement the simplest solution, which is to map an internal UDP port, defined by an internal address and a port number on the corresponding host, to an external port, defined by a global address managed by the NAT and a port number valid for that address. In this simple case, the mapping is retained as long as the port is active, and is removed after an inactivity timer. As long as the mapping is retained, any packet received by the NAT for the external port is relayed to the internal address and port. These NATs are usually called "cone NATs". 2) Some implement a more complex solution, in which the NAT not only establishes a mapping for the UDP port, but also maintains a list of external hosts to which traffic has been sent from that port. The packets originating from third party hosts to which the local host has not yet sent traffic are rejected. These NATs are usually called "restricted cone NATs". 3) Instead of keeping just a list of authorized hosts, some NAT implementations keep a list of authorized host and port pairs. UDP packets coming from remote addresses are rejected if the internal host has not yet sent traffic to the outside host and port pair. The NATs are often called "port restricted cone NATs" 4) Finally, some NAT map the same internal address and port pair to different external address and port pairs, depending on the address of the remote host. These NATs are usually called "symmetric NATs". Measurement campaigns and studies of documentations have shown that most NAT implement either option 1 or option 2, i.e. cone NATs or restricted cone NATs. The Teredo solution ensures connectivity for all NAT types and all configurations, but it is legitimate to seek an optimization in the case of cone NAT or restricted cone NATs. --8<-- I'm curious which kind of NAT does Netfilter (and possibly old ipchains NAT) use? Please Cc:. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords