Guido van Rooij wrote: > On Wed, Sep 03, 2008 at 10:13:08AM -0400, Jon Radel wrote: >>> And why is that so? This bascially rules out keep state on outgouing packets >>> on any router-type system. That seems like an unnecessary limitation. >> What? If you want state, turn it on: >> >> block all >> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state >> pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state >> >> should work fine also. Other things being equal (in other words, your >> mileage may vary....), that is both more secure and more efficient than >> the first rule set I offered as an example. I sent the first one only > > It's certianly not more efficient as one needs twice as many state entries.
I say apples are better than oranges. You come along and say, "No, fool, pears are not better than oranges." I wish you luck with your problems. You might be happier using something other that PF. --Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
