Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Hair pinning with pf and NetBSD

On 25/11/2009 8:22 AM, Daniel Hagerty wrote:
Joerg Sonnenberger<>  writes:

The problem is that the traffic will not pass through the router again.
The destination will try to access the machine directly on the local
network. Either that or I am not completely clear what you are actually
doing in terms of NAT.

     You have to rewrite *both* the src and dst addresses for this case
to work, with the idea being that the source address is something that
the destination host will route through the nat.  The NAT can do the
obvious inverse transformation for any return packets.

     I've also never seen this implemented, so I'd love to know what
the OP's customer is thinking of.

I've seen this implemented but only with iptables using both DNAT and SNAT using prerouting and postrouting rules respectively. Unfortunately all connections appear to originate from the router, which isn't an issue if there is some kind of session logging.

I'd be interested to see the pf equivalent :)


Home | Main Index | Thread Index | Old Index