On Thu, Sep 11, 2003 at 04:49:27PM +0200, Cedric Berger wrote: > 3) somehow, a NAT rule is created to make that 2nd connection > originate from the > same socket as the first connection/packet.
*cough* embryonic state *cough* All you need is to insert a state entry that will be completed to a normal state when the first packet goes out (and defines the priorly unknown, random source port). The translation can be done by that state, and when the connection terminates, the state is removed, and you don't have to clean up any rules. Daniel
