Ming-Ching Tiew wrote: > As far as I know, PPTP connection tracking is for the PPTP client going > through firewall, ie pptp masquerade. It is not needed for DNAT of PPTP > into a pptp server. The PPTP connection tracking works for both clients and servers, since after all, you need one of each to make a PPTP connection. While you can get by without it for DNAT to a server, the PPTP connection tracking allows you to automatically NAT the related GRE connections, and you can use a conntrack state match to only allow related GRE packets through the firewall.
