Date: Fri, 17 Sep 2004 23:53:40 +0900 From: Rob <spamrefuse@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <414AFA74.4070001@yahoo.com> In-Reply-To: <414AF79C.4030809@etherealconsulting.com> References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Norm Vilmer wrote:
> Here are the rules that I have that keep-state on the outside interface:
>
> #For DNS
> add 01300 pass udp from ${oip} to any 53 keep-state
> # For NTP
> add 01400 pass udp from ${oip} to any 123 keep-state
> # For VPN
> add 01500 pass gre from any to any keep-state
> # For ICMP
> add 01600 pass icmp from any to any via ${oip} keep-state
>
> Do you think these are causing the problem?
Aren't udp and icmp state-less protocols?
In that case, keep-state would not make much sense.
I use 'keep-state' only for tcp rules.
I may be wrong, moreover, I haven't followed the full thread :).
Rob.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414AFA74.4070001>