impossible rc.d ordering problem with stf and pf ?
stefan.lambrev at sun-fish.com
Wed Jan 31 08:03:35 UTC 2007
James Long wrote:
>> Date: Mon, 29 Jan 2007 12:02:52 +0000
>> From: Pete French <petefrench at ticketswitch.com>
>> Subject: Re: impossible rc.d ordering problem with stf and pf ?
>> To: freebsd-stable at freebsd.org, max at love2party.net
>> Cc: rcoleman at criticalmagic.com, bms at freebsd.org
>> Message-ID: <E1HBVDo-0008WW-Fe at dilbert.ticketswitch.com>
>>> 1) You use the interface name as address w/o dynamic lookup.
>>> i.e. "... from stf0 ..."
>> Yes, thats it - I hadn't come across this 'dynamic lookup' thing before
>> though, so I didn't realise what it was. I still cant find it in the PF
>> manual, aside from a reference that you need to do it for NAT.
>>> To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20
>>> be defused by adding parentheses. i.e. "... from (stf0) ...".
>> pass out on (stf0) inet6 from any to any keep state
> Just for my edification, what is the point of "keep state" on an
> "any-to-any" rule?
imagine that you have only 2 rules -
block in on $if all
pass out on $if from any to any keep state
- with "keep state" you have internet, without it you do not have ;)
> freebsd-stable at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable