Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Sep 2007 08:00:53 +1200
From:      Russell Fulton <r.fulton@auckland.ac.nz>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: getting state to work properly
Message-ID:  <46DDB975.3050606@auckland.ac.nz>
In-Reply-To: <46DD38BC.30605@elischer.org>
References:  <46D66176.9020300@auckland.ac.nz> <46D70145.3030708@auckland.ac.nz> <optx3bu3br4fjv08@nuclight.avtf.net> <46DD38BC.30605@elischer.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


Julian Elischer wrote:
>
> also bear in mind the way that state is done..
> it's not documented anywhere but when you do a 'keep-state', the rule
> that
> does the keep-state is stored away, and when a "check state" is run,
> it effectively JUMPS TO the rule that did the keep-state.
>
Ah! thanks for that!  As it happens that's just what I need.  In many
cases in my rule set I use

add pipe ................  keep-state

and that works as I had hoped it would -- this explains why.

Thanks also to the other folk on the list (Hi Vadim) who have helped me
get this show on the road.  Yesterday I shut down the interfaces on the
primary firewall to force the traffic to the secondary where I had my
rewritten rule set up and no one noticed (except those who had tcp
sessions in progress at the time).


Are there any plans for state synchronisation (like pfsync) for ipfw or
is there something and I have missed it? 

Russell.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46DDB975.3050606>