From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 14:53:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A854916A4F3 for ; Fri, 17 Sep 2004 14:53:50 +0000 (GMT) Received: from auk2.snu.ac.kr (auk2.snu.ac.kr [147.46.100.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 234DC43D53 for ; Fri, 17 Sep 2004 14:53:50 +0000 (GMT) (envelope-from spamrefuse@yahoo.com) Received: from [147.46.44.181] (spamrefuse@yahoo.com) by auk2.snu.ac.kr (Terrace Internet Messaging Server) with ESMTP id 2004091723:53:22:538204.29654.2625104816 for ; Fri, 17 Sep 2004 23:53:22 +0900 (KST) Message-ID: <414AFA74.4070001@yahoo.com> Date: Fri, 17 Sep 2004 23:53:40 +0900 From: Rob User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20040901 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> In-Reply-To: <414AF79C.4030809@etherealconsulting.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-TERRACE-SPAMMARK: YES-__TRSYS_LV__3 (SR:-3.91) (SRN:SPAMROBOT) ----------------- Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 14:53:51 -0000 Norm Vilmer wrote: > Here are the rules that I have that keep-state on the outside interface: > > #For DNS > add 01300 pass udp from ${oip} to any 53 keep-state > # For NTP > add 01400 pass udp from ${oip} to any 123 keep-state > # For VPN > add 01500 pass gre from any to any keep-state > # For ICMP > add 01600 pass icmp from any to any via ${oip} keep-state > > Do you think these are causing the problem? Aren't udp and icmp state-less protocols? In that case, keep-state would not make much sense. I use 'keep-state' only for tcp rules. I may be wrong, moreover, I haven't followed the full thread :). Rob.