* Federico Giannici <[email protected]> [2008-12-25 21:31]: > 1) To be as "transparent" as possible, we should use the "flags any" > keyword, because with the default "flags S/SA" keyword the connections > already established would not match the "pass" rule and would be > blocked. Am I right?
yup > 2) As we use different queue names for "inside" and "outside" traffic, > every "pass" rule have a "on <interface>" parameter and specific "from" > e "to" parameters. In this situation we should use the "set state-policy > if-bound" option. Am I right? no, changes nothing in taht situation > 3) In practice, we will have two separate states, one for "inside" and > one for "outside" packets. In this situation, should we use the "sloppy" > option? no > Or does the server "sees" every packet, so there is no problem > with normal states tracking? yes -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
