It's an interesting idea. It's kind of a philosophical issue. Do you only allow what's most secure, or do you setup a framework that allows more risks to be taken if desired. I tend to like the latter, but setting up and maintaining an entire framework is a lot of work...
It would definitely have to be a framework though, because each protocol (e.g. ftp) needs tweaking to work with NAT and certain firewall provisions. The other option would be to lobby for IPv6. <> Jim -----Original Message----- On 29/02/2004, Ed White <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]: > Until the state created by the above rule is in the table, PF will behave like > if the following rule had been added. > > pass in inet proto tcp from $server to $user this is like 'related' in iptables, tho those ppl try to do a "smart" approximation about that is "related" to certain protocols. I dont like that. Doesnt buy you a real thing - only holes. Start thinking of bad guys "behind" your firewall, instead of featurisms for 'only good users' "behind" it. Short: i dont like it
