Just to confirm: Q. Duplicate packets get dropped by PF ? Q. Are these duplicates logged somehow, or do they just not match the rules or the state table, and so get logged in your bottom "block in log all"?
This is a dumb question, but..... ...couldn't PF just pass duplicates, e.g. if it sees a SYN that's already in the table don't add it, and if it sees a SYNACK when the state says it's already seen a SYNACK, likewise. - I have a feeling there is a good reason for not doing this, but can't recall it! Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Hartmeier Sent: Thursday, July 03, 2003 5:07 PM To: Cedric Berger Cc: Dom De Vitto; [EMAIL PROTECTED] Subject: Re: Only one PF table for all connections? On Thu, Jul 03, 2003 at 05:52:48PM +0200, Cedric Berger wrote: > You're right, 2 bridges on the same machine cannot work with PF. That > was discussed before, without conclusive solution. I was in favor of > tying states to interfaces, but there was objections. Maybee we need a > keyword like "lock" or "attach" or "tie" to attach a state to a given > interface, which would solve your problem (and other problems) I agree it should be done, but we'll have to solve a couple of issues first. For instance, the NATLOOK ioctl would require the caller to pass the interface name for the state lookup (otherwise it might find the wrong state). There are several tools that use NATLOOK by now (ftp-proxy, the ssh patch, squid and other proxies in ports). We'll have to adjust them all. For instance, ftp-proxy would probably require a new command line switch to specify the interface name for the NATLOOK ioctl (it doesn't need to know the interface for anything else, and I see no way it could figure it out without an additional switch). IMO, it's well worth the effort, but it will be some effort :) Daniel
