Date: Thu, 8 Nov 2007 21:39:44 +0100 From: Max Laier <max@love2party.net> To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-net@freebsd.org Subject: Re: pf misfeature Message-ID: <200711082139.52958.max@love2party.net> In-Reply-To: <86ve8cbiee.fsf@ds4.des.no> References: <86zlxoblmj.fsf@ds4.des.no> <200711082043.31664.max@love2party.net> <86ve8cbiee.fsf@ds4.des.no>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <max@love2party.net> writes:
> > On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> >> but what you actually get is this:
> >>
> >> pass on $eth from $lan to $lan flags S/SA keep state
> >>
> >> which only matches TCP handshakes, so your UDP streams are screwed.
> >
> > I don't think this is true.
>
> With "pass on $eth from $lan to $lan", NFS doesn't work. With "pass on
> $eth inet proto { tcp, udp } from $lan to $lan", it does.
Works for me. I can NFS over UDP in both directions with the following
rules (expanded):
block drop log all
pass log on bge0 from (bge0:network) to (bge0:network) flags S/SA keep
state
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHM3QYXyyEoT62BG0RAhQpAKCAJ8T0zjHRdqjlgqz6pqpSP7A1LwCfbCOs
iSjNzqkwUENZGZaB8zf7Vh8=
=rPAJ
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711082139.52958.max>