From owner-freebsd-questions@FreeBSD.ORG  Mon Jan 19 17:13:36 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C13916A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 19 Jan 2004 17:13:36 -0800 (PST)
Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A15A243D3F
	for <freebsd-questions@freebsd.org>;
	Mon, 19 Jan 2004 17:13:34 -0800 (PST)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: from be-well.no-ip.com ([66.30.196.44])
          by comcast.net (rwcrmhc11) with ESMTP
          id <20040120011334013008k0kke>; Tue, 20 Jan 2004 01:13:34 +0000
Received: by be-well.no-ip.com (Postfix, from userid 1147)
	id CD182F; Mon, 19 Jan 2004 20:13:33 -0500 (EST)
Sender: lowell@be-well.ilk.org
To: freebsd-questions@freebsd.org
References: <MIEPLLIBMLEEABPDBIEGIECMFFAA.fbsd_user@a1poweruser.com>
From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Date: 19 Jan 2004 20:13:33 -0500
In-Reply-To: <MIEPLLIBMLEEABPDBIEGIECMFFAA.fbsd_user@a1poweruser.com>
Message-ID: <44ektvpgle.fsf@be-well.ilk.org>
Lines: 16
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: ipfw/nated stateful rules example
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2004 01:13:36 -0000

"fbsd_user" <fbsd_user@a1poweruser.com> writes:

> Sorry but the rule set you posted is doing 'keep-state' on the lan
> interface and not the interface facing the public internet. All the
> rule statements processing against the public interface are
> stateless.  Doing stateful testing on the private lan is just waste
> of cpu cycles, it proves nothing other than you have less turst in
> your lan users that you have in unknown public internet users.

Not really; the stateful rules are being applied against the public
Internet responses to packets sent out by the LAN users.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area: 
		resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
		username/password "public"