Date: Mon, 16 Nov 2009 02:59:32 -0800 From: =?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?= <ask@develooper.com> To: Denny Lin <dennylin93@cnmc32.hs.ntnu.edu.tw> Cc: freebsd-pf@freebsd.org Subject: Re: Avoid keeping state of ntp requests Message-ID: <6967A89E-CF55-4F65-972E-864AAA50ED32@develooper.com> In-Reply-To: <20091116104413.GA32966@mx.hs.ntnu.edu.tw> References: <B4BDA459-66C1-4FC5-8C27-E090C3FD85E7@develooper.com> <20091116104413.GA32966@mx.hs.ntnu.edu.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 16, 2009, at 2:44, Denny Lin wrote: >=20 >> I'm trying to avoid keeping state of ntp requests to our ntp servers. = They are on UDP and numerous, so it's just wasting a lot of space in = the state table. >>=20 >> I've tried various variations of 'pass quick', but some rule keeps = adding state for the port 123 requests. I've put the full output of = 'pfctl -sa' here: >=20 > Have you tried adding "no state" at the end of the rule? This way they > aren't added to the state table. Hi Denny, Yes, indeed - that's what I'm doing; I should have made that explicit in = the mail. I've put the pfctl -vsr output up here: http://tmp.askask.com/2009/11/pfctl-vsr.txt [ a little later ] Aargh! The problem was that the table in my rule was <ntp_servers>, = but the table with the IP addresses was <ntp_hosts>! Thanks for making me take a second[1] look. - ask [1] That's a joke, more like look number 217!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6967A89E-CF55-4F65-972E-864AAA50ED32>