NAT states

[Daniel Hartmeier]

On Tue, Oct 11, 2005 at 03:54:21PM +0400, Artemiev Igor wrote:

> On Tue, 11 Oct 2005 05:37:48 -0500
> "Travis H." <solinym at gmail.com> wrote:
> > Oh, also another thing; do you initialize table <locals> somewhere?
> > If it is empty, nothing will match NAT rule.
> NAT state didn`t match, i see it by pfctl -vs state and packet dropped. 
> Consequently, nat is not working without an explicit rule for incoming
> traffic lan->internet on $lanif, and incoming internet->lan on $extif,
> in spite of created state and "pass" existing in nat rule. Why is that
> so?

Because a state entry does not allow a packet to pass _through_ the
firewall, but only to pass on one interface (the interface the state was
created on), in general.

Imagine a case where you have three interfaces. You want to allow a
particular connection to pass only between two of those interfaces, but
never through the third. If a state entry would be a free ticket through
the entire firewall, you wouldn't be able to enforce this.

Create state on both interfaces, you'll end up with two states per
connection, and it'll work.

Daniel