Date: Thu, 8 Nov 2007 22:59:35 +0100 From: Max Laier <max@love2party.net> To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-net@freebsd.org Subject: Re: pf misfeature Message-ID: <200711082259.46222.max@love2party.net> In-Reply-To: <86ve8cbiee.fsf@ds4.des.no> References: <86zlxoblmj.fsf@ds4.des.no> <200711082043.31664.max@love2party.net> <86ve8cbiee.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <max@love2party.net> writes:
> > On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> >> but what you actually get is this:
> >>
> >> pass on $eth from $lan to $lan flags S/SA keep state
> >>
> >> which only matches TCP handshakes, so your UDP streams are screwed.
> >
> > I don't think this is true.
>
> With "pass on $eth from $lan to $lan", NFS doesn't work. With "pass on
> $eth inet proto { tcp, udp } from $lan to $lan", it does.
thinking about it, this could be a strange interaction with skip steps.
Could you provide "pfctl -gvsr" with either rule(s)? In private mail if
you prefer.
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHM4bSXyyEoT62BG0RAkbQAJ9x7UNJ18jmrHaTc2IvWqr1buwd6gCePBUx
/eP/vpTyAbYBHjweuiSau70=
=O0jZ
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711082259.46222.max>