[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: no NAT, all public ip address

So are you saying that failover will still work on a route setup?

ed writes:

On Mon, 03 Oct 2005 23:19:30 -0500
"Neil" <[email protected]> wrote:

Hey guys,

What will I change in pf.conf if I'm not going to use NAT anymore?
It's because, the current setup of the servers including the firewall
uses publicly routable addresses and there is no NAT. I still wanted
to have failover that maintains existing states/connections even if
one firewall goes down or cables get disconnected.

Humm as far as I know a router does not have a state table as such, it
merely routes, as opposed to NAT. With NAT the FW indexes the source
port+address with a destination port+address, which yields a state. When
the FW sees another packet which matches either socket (port/address) it
will forward accordingly.

To use your pf.conf for a routed network you would need to remote the
nat/rdr lines, and alter the .conf so that you have network and IP
address entries that are routeable, and to the best of my knowledge it
should work as expected, but I do not think there is a state table when
you don't use NAT, but it should not hurt to leave that setup in it's
running configuration.

Regards, Ed http://www.usenix.org.uk