From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 4 20:01:03 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C45716A417 for ; Tue, 4 Sep 2007 20:01:03 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id 63E3913C45A for ; Tue, 4 Sep 2007 20:01:02 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id C5332480612 for ; Wed, 5 Sep 2007 08:00:57 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73z8UvILDH5k for ; Wed, 5 Sep 2007 08:00:57 +1200 (NZST) Received: from bluebottle.local (unknown [130.216.7.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 6906A480610 for ; Wed, 5 Sep 2007 08:00:57 +1200 (NZST) Message-ID: <46DDB975.3050606@auckland.ac.nz> Date: Wed, 05 Sep 2007 08:00:53 +1200 From: Russell Fulton User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <46D66176.9020300@auckland.ac.nz> <46D70145.3030708@auckland.ac.nz> <46DD38BC.30605@elischer.org> In-Reply-To: <46DD38BC.30605@elischer.org> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Subject: Re: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2007 20:01:03 -0000 Julian Elischer wrote: > > also bear in mind the way that state is done.. > it's not documented anywhere but when you do a 'keep-state', the rule > that > does the keep-state is stored away, and when a "check state" is run, > it effectively JUMPS TO the rule that did the keep-state. > Ah! thanks for that! As it happens that's just what I need. In many cases in my rule set I use add pipe ................ keep-state and that works as I had hoped it would -- this explains why. Thanks also to the other folk on the list (Hi Vadim) who have helped me get this show on the road. Yesterday I shut down the interfaces on the primary firewall to force the traffic to the secondary where I had my rewritten rule set up and no one noticed (except those who had tcp sessions in progress at the time). Are there any plans for state synchronisation (like pfsync) for ipfw or is there something and I have missed it? Russell.