[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Molle Bestefich <molle dot bestefich at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Can't NAT on m0n0wall.
 Date:  Wed, 21 Jun 2006 22:48:00 +0200
On 21.06.06 22:20 +0200, Molle Bestefich wrote:

> If all NAT is applied before traffic hits the filter, then yes,
> initial packets from a client to the translated box will appear to
> the
> filter with the translated ("internal") address.

Actually, it's not that simple. Assuming you're doing NAT on the WAN
interface, then for outbound packets on WAN, NAT is applied after the
packet has passed through the filter - therefore, the filter will see
the original, private source IP address. For inbound packets on WAN,
NAT is applied before the filter gets the packet - therefore, it'll
also see the proper private IP address in the destination field - no
issues with stateful filtering. Have a look at fr_check() in
<http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/sys/contrib/ipfilter/netinet/fil.c?rev=1.23.2.8&content-type=text/plain>
(especially where it calls ip_natin() and ip_natout()) if you don't
believe me.

I have never heard of problems in this interaction, or of the need to
add two firewall rules for each NAT rule. Please post firewall logs
and your config.xml, or (better) some /status.php output after an
unsuccessful connection if you do experience this problem and still
believe it's a m0n0wall issue.

- Manuel