AW: Stateful NAT w/ record-state
Lutz Donnerhacke
lutz at donnerhacke.de
Fri Jan 17 15:53:40 UTC 2020
> > In Kernel Nat/Firewall
> > /---------------------\
> > +--------+ +-------+ +-----+ +-------+ +-------+
> > | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host |
> > +--------+ +-------+ +-----+ +-------+ +-------+
> >
> > Requests originate from "client", come in via "igb0", get passed to
"nat",
> > leave "igb1" reaching host .... no problem.
> >
> > 03000 nat 1 ip from any to any out via igb0
Jup.
> > The response leaving "host", come in via "igb1", get passed to "nat",
and
> > get clobbered by ipfw's deny rule (see below).
> >
> > 50100 nat 1 ip from any to me in via igb0
igb1 != igb0
I'd suggest to apply nat any traffic on igb1 in both direction.
So routing is much easier (you never see the public NAT IP).
More information about the freebsd-ipfw
mailing list