Just further to what Dave is saying, where can I read more about how the UDP 'keep state' actually works (short of sifting through the source code)? I am interested as I will be setting up a firewall next year sometime to handle 100,000's of simultaneous UDP connections so it is rather important that I understand the way this works.
Thanks Andrew --- Dave Anderson <[EMAIL PROTECTED]> wrote: > ** Reply to message from Srikanth Sagiraju > <[EMAIL PROTECTED]> on Mon, 1 Nov 2004 19:37:30 -0500 > (EST) > > >I was looking at some of the sample pf rules given at: > >http://www.openbsd.org/faq/pf/queueing.html . > > > >On the same page in the second example (Ex2: Company network) there > is > >a rule that accepts DNS(port 53) requests from 'wwwserv' to any on > 'fxp1 > >inbound' as below: > ># filter rules for fxp1 inbound > >pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \ > > keep state > > > >But 'fxp0' does NOT allow any new 'outbound' connections except from > the > >'int_net'. Would that mean that DNS packets are not allowed outside > the > >firewall and the above rule was written in vein?? I am missing > >something here.. > > Note the 'keep state' at the end of that rule. This tells pf > (roughly > speaking) to allow further communication in both directions until the > tcp connection is terminated. (For udp, it allows 'related' > datagrams > in both directions -- I'm not sure exactly what the definition of > 'related' is, but it allows udp-based protocols to work.) > > Dave > > -- > Dave Anderson > <[EMAIL PROTECTED]> > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
