Date: Wed, 23 May 2007 19:57:31 +0700 From: Vasily Ivanov <freebsdpf@academ.org> To: freebsd-pf@freebsd.org Subject: Re: source limiting NATed connections Message-ID: <200705231957.31447.freebsdpf@academ.org> In-Reply-To: <87wsyzvj3r.fsf@thingy.datadok.no> References: <200705231206.50584.freebsdpf@academ.org> <87wsyzvj3r.fsf@thingy.datadok.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Peter, thanks for your reply. On 23 May 2007 19:07, Peter N. M. Hansteen wrote: > Vasily Ivanov <freebsdpf@academ.org> writes: > > When I try to put rule like this: "nat on $ext_if from $private_net to > > any -> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I > > get a "syntax error" message. > > Put the source tracking part in your pass rules instead. There're no other pass/block rules, except protecting the gateway itself. All firewalling and shaping is on the other box, the gw is handling BGP and NAT functions only. There comes another question: if I add "pass in on $int_if from any to any keep state" rule (with source-tracking etc.), will it double the number of states in pf -- one state from nat rule, and one from keep state? Because it's already about 12-15k states in peak times (7k minimum), and if it doubles... -- Vasily Ivanov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705231957.31447.freebsdpf>