> primarily for services from an ASP we use. All of the information I > have found indicates that in order for a Linux/ BSD machine to act as > a stateful firewall (or any kind of firewall for that matter), it must > also be doing NAT translation. That intuitively seems wrong, and would
You're right, it's not correct. A lot of the documentation does assume you're going to use NAT with stateful connections, but you don't have to. Both IPFilter and Netfilter support stateful connections without using NAT. Behind the scenes, netfilter does require connection tracking in order for NAT to work, but not vice- versa. > Based on my > simple explanation of the configuration, do any of you have > suggestions for firewall placement that may be better? Ideally, I That's really tough to make a recommendation without knowing all of your requirements and a detailed "picture" of your network. Steve Bremer NEBCO, Inc.
