> Rules can be given an expirey (in seconds): > > block in from any to any port = 22 rule-ttl 10 > > But displaying them with ipfstat is slightly different, e.g: > # ipfstat -i > block in from any to any port = 22 # rule-ttl 4191 > > This prevents temporary rules from being loaded that match > already existing rules and also means you don't need to > worry about guessing the correct ttl to remove a rule.
Any more examples of this? It seems confusing to use the same "rule-ttl" for different purposes. And also how can you know how much time is left? Thanks for these interesting and useful features.
