From owner-freebsd-pf@FreeBSD.ORG  Wed May 23 12:57:30 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3FA3216A400
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:57:30 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from mx6.academ.org (mx6.academ.org [85.118.224.218])
	by mx1.freebsd.org (Postfix) with ESMTP id DF72F13C45B
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:57:29 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from stronghold.academ.local (stronghold.academ.local
	[192.168.234.23]) (Authenticated sender: vgi@academ.org)
	by mx6.academ.org (Postfix) with ESMTP id B008EEBD06
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 19:57:28 +0700 (NOVST)
From: Vasily Ivanov <freebsdpf@academ.org>
Organization: Academ.org
To: freebsd-pf@freebsd.org
Date: Wed, 23 May 2007 19:57:31 +0700
User-Agent: KMail/1.9.5
References: <200705231206.50584.freebsdpf@academ.org>
	<87wsyzvj3r.fsf@thingy.datadok.no>
In-Reply-To: <87wsyzvj3r.fsf@thingy.datadok.no>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200705231957.31447.freebsdpf@academ.org>
X-Virus-Scanned: ClamAV version 0.88.7,
	clamav-milter version 0.88.7 on mail.academ.org
X-Virus-Status: Clean
X-Spam-Ystatus: hits=-11.1  R545 R4047 R3507 R4773 __R4025 R4445 R3294 R4036
	R208 R4270 __R4812 R3537 R3538 R3312 R2092 R4045 R3295 R2618
	R4017 R4026 R4962
X-Spam-Flag: NO
X-Spam-Yversion: academ.org
Subject: Re: source limiting NATed connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2007 12:57:30 -0000

Hi, Peter, thanks for your reply.

On 23 May 2007 19:07, Peter N. M. Hansteen wrote:
> Vasily Ivanov <freebsdpf@academ.org> writes:
> > When I try to put rule like this: "nat on $ext_if from $private_net to
> > any -> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I
> > get a "syntax error" message.
>
> Put the source tracking part in your pass rules instead.

There're no other pass/block rules, except protecting the gateway itself.
All firewalling and shaping is on the other box, the gw is handling BGP and 
NAT functions only.

There comes another question: if I add "pass in on $int_if from any to any 
keep state" rule (with source-tracking etc.), will it double the number of 
states in pf --  one state from nat rule, and one from keep state?
Because it's already about 12-15k states in peak times (7k minimum), and if it 
doubles...

-- 
Vasily Ivanov