On Tue, Oct 13, 2009 at 07:05:58PM +0200, Roger Schreiter wrote:
| Roger Schreiter schrieb:
| > ...
| > Now I assume, I rather have to bring pf to ignore the state
| > for packets, just passing through.
|
|
| Hi,
|
| an explicite "pass" rule with the "no state" option solved the
| problem.
|
| Imho this makes sense, because a router connecting two (or
| more) networks and managing up to Gbit/s cannot track the
| states of every connection.
Sounds very weird to me - 'keep state' is *faster* than 'no state',
because without state, every packet has to traverse the ruleset (time
consuming) while a statelookup is very fast.
Gbit/s is not an issue for pf. Search the list for postings from
henning@, he runs setups like that in production (and has done so for
quite some time).
Tracking lots of states could possibly cause you to run into the
default limits on the number of states, but that does not prevent
every packet to traverse your firewall. And even if you do run into
this, it's quite easy to increase these limits (given that you have
sufficient memory in your machine).
| Thanks for all of your hints, which helped me!
But I doubt your actual problem is fixed. It's just worked around (or
at least I think so, given the data I've seen so far).
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
[demime 1.01d removed an attachment of type application/pgp-signature]
