On 03-09-2014 13:28, Paul S. wrote: > Unfortunately, this is a gateway box -- there aren't really any > firewall rules that I can individually apply the filter to. I do have pflow plus nfsen setups on lots of firewalls. All of them are gateways. And I don't use state-defaults. You only need to set the pflow state once for a natted packet, for example, only on the internal interface. That's where you'll get the original source ip address, which is the one that matters. Setting it on the natted packets is probably what is generating these extra flows. You can only make things simple to some extent. As your setup gets more complex, so does your ruleset.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
