> The part that confused me was that the connections failed > immediately -- it turns out that PF sends a RST upon state > mismatch during the intial handshake, as opposed to dropping > the packets and letting the connection time out.
As a matter of policy, I would never black hole internally sourced traffic traversing packet filtering infrastructure under my control. There are few things worse from a management/debugging perspective than to have packets disappear into the wild blue yonder with no indication of why. Greg _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
