> 1. Is this right? Is natd behaving correctly when the packet comes back
> in for unregistered ips? I would think that it would be aliased to like
> this, "machine B's ip" --> machine C's ip".... like a proxy? But this
> would still break the rule "... from any ...".
I am going to assert that the behavior shown is correct. If you were
to change the IP, then machine C would not recognize the packet as
part of the same connection.
If you want a proxy, use a proxy. If you want NAT, that's something
different.
I simply address the issue by blocking those packets on a rule before
I send them through the NAT. This also has the advantage that after
the NAT line, I know that anything internal is part of an established
connection; that's invaluable for UDP, or was before we added dynamic
rule support.
Best,
joelh
--
Joel Ray Holveck - [EMAIL PROTECTED]
Fourth law of programming:
Anything that can go wrong wi
sendmail: segmentation violation - core dumped
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
