keeping state on outgoing connections fails (?)
Jon Radel
jon at radel.com
Wed Sep 3 15:08:25 UTC 2008
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 10:13:08AM -0400, Jon Radel wrote:
>>> And why is that so? This bascially rules out keep state on outgouing packets
>>> on any router-type system. That seems like an unnecessary limitation.
>> What? If you want state, turn it on:
>>
>> block all
>> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
>> pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>
>> should work fine also. Other things being equal (in other words, your
>> mileage may vary....), that is both more secure and more efficient than
>> the first rule set I offered as an example. I sent the first one only
>
> It's certianly not more efficient as one needs twice as many state entries.
I say apples are better than oranges. You come along and say, "No,
fool, pears are not better than oranges."
I wish you luck with your problems. You might be happier using
something other that PF.
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080903/fc2ac015/smime.bin
More information about the freebsd-pf
mailing list