Date: Thu, 8 Nov 2007 21:39:44 +0100 From: Max Laier <max@love2party.net> To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-net@freebsd.org Subject: Re: pf misfeature Message-ID: <200711082139.52958.max@love2party.net> In-Reply-To: <86ve8cbiee.fsf@ds4.des.no> References: <86zlxoblmj.fsf@ds4.des.no> <200711082043.31664.max@love2party.net> <86ve8cbiee.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1473742.UZxcrOatyN
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 08 November 2007, Dag-Erling Sm=C3=B8rgrav wrote:
> Max Laier <max@love2party.net> writes:
> > On Thursday 08 November 2007, Dag-Erling Sm=C3=B8rgrav wrote:
> >> but what you actually get is this:
> >>
> >> pass on $eth from $lan to $lan flags S/SA keep state
> >>
> >> which only matches TCP handshakes, so your UDP streams are screwed.
> >
> > I don't think this is true.
>
> With "pass on $eth from $lan to $lan", NFS doesn't work. With "pass on
> $eth inet proto { tcp, udp } from $lan to $lan", it does.
Works for me. I can NFS over UDP in both directions with the following=20
rules (expanded):
block drop log all
pass log on bge0 from (bge0:network) to (bge0:network) flags S/SA keep=20
state
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1473742.UZxcrOatyN
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHM3QYXyyEoT62BG0RAhQpAKCAJ8T0zjHRdqjlgqz6pqpSP7A1LwCfbCOs
iSjNzqkwUENZGZaB8zf7Vh8=
=rPAJ
-----END PGP SIGNATURE-----
--nextPart1473742.UZxcrOatyN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711082139.52958.max>