Is there some simple way to change the session timeout for IPnat?
From a quick glance at the code, fr_defnatage is always initialized to 
DEF_NAT_AGE, which (on 1.5.2) is 1200 seconds.  There does not seem to 
be a sysctl to change it, either.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com