source limiting NATed connections
Vasily Ivanov
freebsdpf at academ.org
Wed May 23 12:57:30 UTC 2007
Hi, Peter, thanks for your reply.
On 23 May 2007 19:07, Peter N. M. Hansteen wrote:
> Vasily Ivanov <freebsdpf at academ.org> writes:
> > When I try to put rule like this: "nat on $ext_if from $private_net to
> > any -> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I
> > get a "syntax error" message.
>
> Put the source tracking part in your pass rules instead.
There're no other pass/block rules, except protecting the gateway itself.
All firewalling and shaping is on the other box, the gw is handling BGP and
NAT functions only.
There comes another question: if I add "pass in on $int_if from any to any
keep state" rule (with source-tracking etc.), will it double the number of
states in pf -- one state from nat rule, and one from keep state?
Because it's already about 12-15k states in peak times (7k minimum), and if it
doubles...
--
Vasily Ivanov
More information about the freebsd-pf
mailing list