Date: Thu, 8 Dec 2005 05:02:34 -0600 From: "Travis H." <solinym@gmail.com> To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> Cc: freebsd-pf@freebsd.org Subject: Re: PF on router v2.0 Message-ID: <d4f1333a0512080302o63801f36ya46c5849469c58d0@mail.gmail.com> In-Reply-To: <4394BA10.6050500@ide.resurscentrum.se> References: <4394BA10.6050500@ide.resurscentrum.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> pass in all > pass out all I think you can do that with one rule. pass all You can also tighten the tcp rule by specifying "flags S/SA"... the state will take care of the rest of the packets. This prevents ack-scanning. You might also consider "antispoof" rules on the interfaces, but that is a kind of blocking, so maybe you don't want it after all. Overall this ruleset and your needs are so simple there's not much to suggest. Maybe try list versus tables to see the speed difference, but other than that... -- http://www.lightconsulting.com/~travis/ -><- Knight of the Lambda Calculus "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0512080302o63801f36ya46c5849469c58d0>