Date: Wed, 31 Jan 2007 09:30:56 +0200 From: Stefan Lambrev <stefan.lambrev@sun-fish.com> To: James Long <stable@museum.rain.com> Cc: freebsd-stable@freebsd.org, Pete French <petefrench@ticketswitch.com> Subject: Re: impossible rc.d ordering problem with stf and pf ? Message-ID: <45C045B0.1060108@sun-fish.com> In-Reply-To: <20070131004234.GA13590@ns.umpquanet.com> References: <20070130120050.899B816A4BF@hub.freebsd.org> <20070131004234.GA13590@ns.umpquanet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, James Long wrote: >> Date: Mon, 29 Jan 2007 12:02:52 +0000 >> From: Pete French <petefrench@ticketswitch.com> >> Subject: Re: impossible rc.d ordering problem with stf and pf ? >> To: freebsd-stable@freebsd.org, max@love2party.net >> Cc: rcoleman@criticalmagic.com, bms@freebsd.org >> Message-ID: <E1HBVDo-0008WW-Fe@dilbert.ticketswitch.com> >> >> >>> 1) You use the interface name as address w/o dynamic lookup. >>> i.e. "... from stf0 ..." >>> >> Yes, thats it - I hadn't come across this 'dynamic lookup' thing before >> though, so I didn't realise what it was. I still cant find it in the PF >> manual, aside from a reference that you need to do it for NAT. >> >> >>> To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 >>> be defused by adding parentheses. i.e. "... from (stf0) ...". >>> >> pass out on (stf0) inet6 from any to any keep state >> > > Just for my edification, what is the point of "keep state" on an > "any-to-any" rule? > > imagine that you have only 2 rules - block in on $if all pass out on $if from any to any keep state - with "keep state" you have internet, without it you do not have ;) > Jim > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- Best Wishes, Stefan Lambrev ICQ# 24134177
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C045B0.1060108>