Whoops. Meant to cc this to the list too. -- Richard Seaman, Jr. email: [EMAIL PROTECTED] 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852
On Sat, Jul 28, 2001 at 12:19:01PM +0100, [EMAIL PROTECTED] wrote: > I'm worried about the logic of the problem -- it seems to me that > there's no way that nat and the dynamic rules can work together > correctly, given that both incoming and outgoing packets start at > the top and work down the same list of rules. Tthe keep-state and > check-state surely have to be on the same side of the nat, > because they have to work together *either* on local *or* external > addresses, not a mixture. But if they're after the nat (as for all > written examples I've seen), then for incoming packets they operate > on local addresses, and for outgoing on external addresses, which > is not what's wanted. If they're before the nat, we never reach the > nat. > > Am I totally at sea here with my understanding of what's going on? > Does anyone on the list have a working example which they could > offer, please, and set my mind at rest? I haven't looked at your specific ruleset, but I too concluded it wasn't possible to get dynamic rules (keep-state) working properly with nat. But, I also managed to convince myself that the nat engine itself is, in effect, a dynamic ruleset, so I decided I didn't care about dynamic rules with nat. This was a while ago, and I don't remember my analysis all that well. If you come to a different conclusion after looking at how the nat engine works, let me know and I'll try to reconstruct my logic. -- Richard Seaman, Jr. email: [EMAIL PROTECTED] 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852
