On 05Apr2013 08:45, Daniel Hartmeier <dan...@benzedrine.cx> wrote: | If you need NAT, you have to do that on the external interface, and it | requires (implies, even) creating states.
I was imagining NATing on an internal virtual interface to a private address on some kind of internal virtual interface; this might keep the necessary state without being the outmost layer. And then to do stateless filtering of RSTs on the real physical external interface (because the NAT states are not present there, or even if floating, will not match), and then have some kind of stateless binat or other rewrite of the remaining non-RST packets from the real external address to the private address used for the NAT. | However, you can filter statelessly on the internal interface (the | states won't match there (wrong direction, if-bound), dropping outgoing | TCP RST, passing everything else. Won't the RST packets shut down the TCP states as they traverse to external interface? I'd be happy to filter the RSTs as they exit the internal interface as you suggest; I didn't think it would work because PF will track the state implied by the RSTs as they enter on the external interface, and presumably start rejecting regular traffic anyway. Am I wrong here? (I'll try it anyway, it would be nice if it worked.) I'd considered making the states if-bound earlier but further thought suggested it wouldn't do me any good. But as you say, if the states are on the external interface I would then have a free hand internally. | Sounds similar to what was done to ignore the great firewall of China, | see http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf :) Sounds almost identical to what they did there! Thanks for the paper; an interesting read. Thanks, -- Cameron Simpson <c...@zip.com.au> I thought back to other headaches from my past and sneered at their ineffectiveness. - Harry Harrison