On 2012-06-12 15:55, Bernd wrote:
What might be the easiest solution to have pf not care about states any
longer -- using 'keep state sloppy'? Or disabling statefulness entirely
(how?)?
If you don't need it, just disable pf. echo pf=NO >>/etc/rc.conf.local
Sloppy tracking could work. Also check out "flags any".
Tagging "no state" at the end of each rule could incur a performance hit
because the rule set will need to be traversed for each packet instead
of relying on the state table. Only do it if performance doesn't matter
or you have few rules. I would definitely try it for the kind of
coarse-grain ACL we usually see on core routers, i.e. a single pass rule
with a table of allowed source/destination addresses.
Simon
