Hi, is this correct : when you are SNAT-ing and using a statefull firewall, iptables must manage 2 different 'states' : - the connections that went out so incoming response packets are matched to the correct outgoing request packets - the states of the state module meaning a list of the connections so incoming responste packets are ALLOWED to go back in I guess if you are doing SNAT with an empty filter table, you only have the 'states' of the first kind, right? Which one of these do we actually see in /proc/net/ip_conntrack ? Are these the SNAT-connections or the states from the state module? And where do I see the others? Where can I find the default lifetime for both? Thanks Jo NEOlabs - http://www.neolabs.be - mailto:info@xxxxxxxxxx
