On Mon, 2005-11-07 at 10:45 +0100, Joel CARNAT wrote: > Hi, > > On my firewall (not bridge), all accepted incoming requests to my hosted > services are allowed with 'flags S/SA modulate state'. As my firewall is > a NAT router, I thought I might use 'synproxy' rather than 'modulate > state'. Because my firewall is not configured as a bridge, and according > to the man page, this looks like a good idea. > > Reading OpenBSD pf documentation and reading pf.conf example on google, > it seems using 'synproxy' is not that automatic. > > So my question is, can I automatically use 'flags S/SA modulate state' > to allow incoming requests or are there any restrictions (for eg, not > with ICMP, or not with domain/UDP, ...) ?
If I remember right, the new versions of pf/pfctl interpret "modulate state" as "keep state" when the former does not make sense (non-TCP). The only caveat I know of is, don't use "synproxy state" for services that may not be up all the time, as it will show as a completed and immediately dropped connection on the client side. "modulate state" does not have this problem. -- Shawn K. Quinn <[EMAIL PROTECTED]>
