Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Apr 2003 21:58:56 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Antoine Jacoutot <ajacoutot@lphp.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw dynamic rule timeout
Message-ID:  <20030430045856.GA23926@blossom.cjclark.org>
In-Reply-To: <200304300100.42983.ajacoutot@lphp.org>
References:  <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <20030429203842.GB22678@blossom.cjclark.org> <200304300100.42983.ajacoutot@lphp.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Apr 30, 2003 at 01:00:42AM +0200, Antoine Jacoutot wrote:
> On Tuesday 29 April 2003 22:38, Crist J. Clark wrote:
> > Not sure where you're looking there, but when I BSD Google for "ipfw
> > natd keep-state" the first link is,
> >
> > http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020804.freebsd-ipf
> >w.html
> 
> Thanks, I guess I put in the wrong keywords.
> I read all of this and came to the conclusion that there was no solution to 
> this problem, at least I can't see one.
> I guess I'll have to build my firewall with something else.
> 
> But thanks.

I think several of the articles point to the easiest solution: Don't
use keep-state rules in conjunction with natd(8). Keep-state doesn't
offer you anything more than using natd(8) with stateless rules for
the vast majority of policies.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030430045856.GA23926>