On Tue, Nov 13, 2007 at 07:50:53AM +0530, Girish Venkatachalam wrote: > On 22:08:03 Nov 12, Alupului Costin wrote: > > I seem to have quite a problem with PF. I have set up a bridge to > > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's > > not really important. My problem comes with the filter rules. I have > > to use keep state because of the speed benefits (really I don't have a > > choice), > > One should always keep state.
<...> > > Oh, here is the setup of the bridge from rc.conf, although there > > shouldn't be any problems there (the bridge works fine without pf, or > > with pf stateless): > > Stateful filtering is always recommended. Performance is not the only > reason why you should use it. > > It also adds to security. Have you tried disabling normalization/scrub? > > Best, > Girish My understanding (and please correct me if I'm wrong) is that keeping state requires fragmented packet reassembly, which can break some applications. Also, I've always followed the conventional wisdom that bridges shouldn't keep state. A posting from the maintainer supports this: http://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001481.html Maybe this has changed--I'm not sure, but so far I haven't seen performance issues with pf and if_bridge without keeping state, so I haven't been worried about it. Erik _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
