Date: Wed, 04 Feb 2015 13:06:41 +0800 From: Julian Elischer <julian@freebsd.org> To: lev@FreeBSD.org, freebsd-ipfw <freebsd-ipfw@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny Message-ID: <54D1A8E1.8010100@freebsd.org> In-Reply-To: <54D0951F.2000304@FreeBSD.org> References: <54CFCD45.9070304@FreeBSD.org> <54D06E5C.3090701@freebsd.org> <54D0951F.2000304@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/3/15 5:30 PM, Lev Serebryakov wrote: > >> looking at my own rules I don't seem to have a problem.. > You have "check-state" only once, on entrance, before all NATs, so > it could work only for packets which don't need NAT. And looks like > (correct me if I'm wrong) you don't try to track states of connections > passed through NAT. yes, because NAT is a stateful filter so it's a duplication > - -- > // Lev Serebryakov AKA Black Lion > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D1A8E1.8010100>