Greetings Folks,
I have been reviewing my rule sets and decided to seek clarification
about the tcp state stuff.
Here is what I use now:
incoming connections:
pass in quick on $ext_if proto tcp from any to <8888> port=8888 flags S/SA modulate
state
outgoing:
pass out on $ext_if proto tcp from <ssh_out> to any port=22 keep state
i.e. we allow any outgoing packets to establish state but only Syns or
SAcks to establish state for incoming packets.
thus if fw looses state then only incoming connections will get dropped
when it comes back (or when we go over to the backup -- I have not got
pfsync going yet).
I am not sure about now why I chose to use modulate state only on
incoming connections. Is this sensible?
Cheers, Russell
--
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.
