From owner-freebsd-net@FreeBSD.ORG Fri Jan 30 15:39:23 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 880E3AF8 for ; Fri, 30 Jan 2015 15:39:23 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id 48415BBE for ; Fri, 30 Jan 2015 15:39:23 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 776655C002; Fri, 30 Jan 2015 18:39:11 +0300 (MSK) Message-ID: <54CBA599.8030904@FreeBSD.org> Date: Fri, 30 Jan 2015 18:39:05 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: wishmaster Subject: Re: ipfw, nat and stateful firewall: why "keep-state" on "skipto" works at all and how do this properly? References: <54CAD234.3020407@FreeBSD.org> <1422608336.828476401.wghnslia@frv34.fwdcdn.com> In-Reply-To: <1422608336.828476401.wghnslia@frv34.fwdcdn.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2015 15:39:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30.01.2015 12:22, wishmaster wrote: > At first, i think you should move keep-state from skipto to > explicit allow rule. Yep! I like it TOO! > For my case with 4 ISP link I use something like this example, but > more complex, though. Could you please show variant for 4 ISP links? :) - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUy6WZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePXUEQAKF33zboObfY2QwHXkMniPP6 tDIRTH5uDYvj84L/90MhdA0eEZXLuoPUW34p57ipmSSiH0uBYvtvdQAR0WLe+0+Q XvmajOt5Gve6ANlgxr4PS//nOXte9dWp4ZtdvR44/BAZPM+jSeKVkWRsz/YLTS6x FrSGYAMgQYXTBSR/RpBz/dseqwTrY0Qcv9WJpU+oigHKpReZkVJ7tJmDgCAO8+rE X7YTyLwVPYXBw4Y77yZVox/P2oBEdMQ1Z6Eb/qvQXCNkszS4QmbMXj81Uu0x3Zdt BzvJoucnNSUeQivYDbZGY+521RBXtyLXfaWGyRHLFmFiNFz6iT+TdF/S93PBdhY6 1rPx9PIkdystxin44n87HBzYOn3XxiH+O4DcQjkwKfA/+3xGCQDY4FY9GdV+mlBQ nhxrmrmauhSAOUz3BoRDk1k/gcke3Kgcn06dBqNW/bShoJ7fjceK87jUK4OPYm5G JG6z1tVVRPBYmA2WFwGfmx6e60Qfq0dM8DVeffpf22UowNxx+t+JqpnRLFDyS7M+ iUuEnPWQL74/9WRmYREC1CBZWPAHiBm7HlhUz01lVu5uwH1PjdZzG+Z2n3VyWjas t3E/W4/+7ZKgCFS2jwBjiXoa16LunwdJUxH3feFYkLFrYgVoc4edHtsafUKyGsy+ ZrkOl05x9PavJtCTMr7W =3dsG -----END PGP SIGNATURE-----