If you need NAT, you have to do that on the external interface, and it
requires (implies, even) creating states.

However, you can filter statelessly on the internal interface (the
states won't match there (wrong direction, if-bound), dropping outgoing
TCP RST, passing everything else.

Sounds similar to what was done to ignore the great firewall of China,
see http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf :)


Reply via email to