disabling implicit creation of state for NAT, BINAT and RDR

Daniel Hartmeier daniel at benzedrine.cx
Tue Oct 23 23:59:41 PDT 2007

On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote:

> hello, is there a way to disable implicit creation of states for NAT, BINAT
> and RDR rules? the man page of pf.conf says this:
> Note: nat, binat and rdr rules implicitly create state for connections.

Yes, translations require states.

Imagine you have a connection from

  Client      Gateway         External -> ->

i.e. the client sends a TCP SYN to external server The NAT gateway replaces the source address with

Now the external server sends a TCP SYN+ACK back to
How would the gateway know that this packet is for, and needs
the destination address translated back to, without a state

The state entry is the only part that holds this mapping information.


More information about the freebsd-pf mailing list