[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sun, Dec 02, 2001 at 03:57:31PM +1000, mdevin@ozemail.com.au wrote:
> I just realised something.  With the SNAT and MASQUERADE stuff, only the
> first packet of a connection needs to be looked up.  After that all
> subsequent packets are given the same treatment.
> Thus it really matters little I guess.  Only the first packet would be
> minisculely delayed by the extra time required to look up the current IP
> address of the interface.
I just found this in the NAT-Howto:
----- snip ------
There is a specialized case of Source NAT called masquerading: it should
only be used for dynamically-assigned IP addresses, such as standard
dialups (for static IP addresses, use SNAT above). 

You don't need to put in the source address explicitly with
masquerading: it will use the source address of the interface the packet
is going out from.  But more importantly, if the link goes down, the
connections (which are now lost anyway) are forgotten, meaning fewer
glitches when connection comes back up with a new IP address.
----- snip ------

This seems to indicate that if you have a dynamic IP and it goes down.
Even if you re-run your firewall script, then there may be something
left in the connection tracking table.  This may stuff something up
later when you try to continue downloading those web pages etc. you were
in the middle of downloading.

Although, I would have thought that the connection tracking table
(/proc/net/ip_conntrack) would have been cleared if you flushed your
ruleset.  Not sure on this point?  (But it doesn't seem to clear it
on my experimentation).


Attachment: pgphDEyAedZFl.pgp
Description: PGP signature

Reply to: