Manuel Kasper wrote:

> But then it's not pure stateful filtering anymore, right? I mean, outbound
> packets don't get the stateful check then?

Actually, it is -- I use stateful rules for all outbound traffic
from my inside hosts to outside.  But natting complicates matters,
because the packets must match the dynamic rule spec.  So, here's
what I do

oif = outside interface
iif = inside interface
$pub_hosts = 66.92.188.0/24{18,165,175,241}
$prv_hosts = 192.168.123.0/24

$fw add 02030 set 0 allow ip from $prv_net to $prv_net

$fw add 02100 set 0 divert natd ip from any to any via $oif
$fw add 02200 set 0 check-state

$fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif

$fw add 02500 set 0 allow icmp from any to any icmptype 0,3,11

$fw add 03300 set 0 allow tcp from $prv_net to any keep-state setup
$fw add 03400 set 0 allow udp from $prv_net to any keep-state

$fw add 03500 set 0 allow icmp from $prv_net to any

2400 is needed for when those stateful packets are on the outbound
side, and won't match the dynamic rule because they now have the
natted addrs.  I cal 2100 my "funky chicken rule" -- it does
work.  Above the natd rule I have stateful rules for traffic from
the firewall itself.

> OK. Maybe I'd also seen too much with ppp vs. MPD - MPD performed at least
> 8 times faster than ppp, but of course that doesn't necessarily apply to
> natd. I still don't like the idea of having a userland process do NAT.
> 
> No offense to all natd lovers, but I don't see it fitting in m0n0wall with
> the rule generator, traffic shaper, 1:1 NAT, IPsec (incoming ESP packets
> pass through the filter 4 times until they're out on LAN - makes things
> really interesting), PPTP VPN, ...

That's a different matter -- you're the chef.

(I still think your XML configuration stuff has very wide
applications outside this little space!)