Hi, Wolfgang.

On Thu, Oct 07, 1999 at 09:33:19AM +0000, Wolfgang Rupprecht wrote:
> This is how TCP works.  You can not change IP addresses after a TCP
> connection has been opened. 

Yes, but the firewall does not even let SYN packets get through,
so there is no TCP connection at all. What happens is the following:

1) host sends a SYN (with local source address) to the firewall
   which is to be routed to the Internet (after rewriting the
   source address)

2) the firewall dials out, and an IP address for the ISDN interface
   is received

3) host sends another SYN packet to the firewall (with local source
   address)

4) the firewall does not rewrite the source address but discards
   the packet

5) goto step 3)


IMHO, ipnat should recognize that
 - the IP address of the ISDN interface has changed
 - it has never sent SYN (or whatever) packets for the requested
   connection out of the ISDN interface before (so there has not
   been any IP packet with its source address rewritten to the old
   ISDN IP address)
 - it can safely start rewriting source addresses for this connection
   with the newly assigned IP address.

Maybe I am totally wrong. Is there any technical reason why
this is not possible?

    Ingolf
-- 

Ingolf Koch                            Jena-Optronik GmbH
PGP: 0x7B3B5661  213C 828E 0C92 16B5  05D0 4D5B A324 EC04