Hi, Peter, thanks for your reply. On 23 May 2007 19:07, Peter N. M. Hansteen wrote: > Vasily Ivanov <[EMAIL PROTECTED]> writes: > > When I try to put rule like this: "nat on $ext_if from $private_net to > > any -> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I > > get a "syntax error" message. > > Put the source tracking part in your pass rules instead.
There're no other pass/block rules, except protecting the gateway itself. All firewalling and shaping is on the other box, the gw is handling BGP and NAT functions only. There comes another question: if I add "pass in on $int_if from any to any keep state" rule (with source-tracking etc.), will it double the number of states in pf -- one state from nat rule, and one from keep state? Because it's already about 12-15k states in peak times (7k minimum), and if it doubles... -- Vasily Ivanov _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
