On Wed, 2004-11-24 at 01:32, Ilya A. Kovalenko wrote:
> Greetings,
>
> Just note.
>
> Stateful inspection on gateway can hamper tcp-connections, when
> inbound or outbound packets goes another route (i.e. when one of
> directions not goes thru gateway).
>
> Connection works fine on low rate, but fast transfers stops on
> each 64K (because suddenly PF stops passing packets).
>
> I guess, it is not bug, just some feature (like some
> tcp-window-related state protection). So think, is there reasons to
> correct this PF behavior.
>
> Thank you
>
> Ilya A. Kovalenko
stateful firewalls are built on the premise that the firewall is in-line
between client and server; and therefore, sees all requests/replies.
asymmetric routing violates that premise; and therefore, all bets are
off.
if you *_must_* do this--allow states to be created on non-SYN packets
(note: this is an *awful* idea).
i will assume that you do not have delusions that this should work with
NAT-ed connections, because it most certainly will not.
-j
--
"Another day, another box of stolen pens."
--The Simpsons
