On Sun, Dec 02, 2001 at 03:57:31PM +1000, email@example.com wrote: > I just realised something. With the SNAT and MASQUERADE stuff, only the > first packet of a connection needs to be looked up. After that all > subsequent packets are given the same treatment. > > Thus it really matters little I guess. Only the first packet would be > minisculely delayed by the extra time required to look up the current IP > address of the interface. > I just found this in the NAT-Howto: ----- snip ------ There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above). You don't need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address. ----- snip ------ This seems to indicate that if you have a dynamic IP and it goes down. Even if you re-run your firewall script, then there may be something left in the connection tracking table. This may stuff something up later when you try to continue downloading those web pages etc. you were in the middle of downloading. Although, I would have thought that the connection tracking table (/proc/net/ip_conntrack) would have been cleared if you flushed your ruleset. Not sure on this point? (But it doesn't seem to clear it on my experimentation). Cheers. Mark.
Description: PGP signature