Avoid keeping state of ntp requests
Ask Bjørn Hansen
ask at develooper.com
Mon Nov 16 10:59:33 UTC 2009
On Nov 16, 2009, at 2:44, Denny Lin wrote:
>
>> I'm trying to avoid keeping state of ntp requests to our ntp servers. They are on UDP and numerous, so it's just wasting a lot of space in the state table.
>>
>> I've tried various variations of 'pass quick', but some rule keeps adding state for the port 123 requests. I've put the full output of 'pfctl -sa' here:
>
> Have you tried adding "no state" at the end of the rule? This way they
> aren't added to the state table.
Hi Denny,
Yes, indeed - that's what I'm doing; I should have made that explicit in the mail.
I've put the pfctl -vsr output up here:
http://tmp.askask.com/2009/11/pfctl-vsr.txt
[ a little later ]
Aargh! The problem was that the table in my rule was <ntp_servers>, but the table with the IP addresses was <ntp_hosts>!
Thanks for making me take a second[1] look.
- ask
[1] That's a joke, more like look number 217!
More information about the freebsd-pf
mailing list