On Tue, Oct 15, 2002 at 03:37:56PM -0400, William Culler wrote: > > Yes, the 'keep state' option in that rules allows replies to your > > outgoing UDP packets. > > I figured that was the case, but I just wanted to verify. I definitely > want to continue using "keep state" on outgoing UDP traffic so I decided > to install a software firewall on the particular Windows machine that I > use Kazaa on and block the incoming UDP packets there. Thanks for the > reply.
Of course you don't need to 'keep state' on all outgoing connections, if you don't want the replies. You can use different 'pass out' rules for different traffic, and each can 'keep state' enabled or not. For instance, if all you want is DNS, pass out on $ext_if proto udp from any to any port domain keep state is sufficient, and will let DNS queries out and associated replies back in, while not allowing any other UDP traffic in or out (which would be blocked by a default block, if there are no other rules allowing it). I don't think you ever need to pass any traffic at the border gateway just to drop it at the final destination, you can just as well drop it at the border. Daniel