[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: PF Filter rules & NAT



Hello Saad,
Monday, December 09, 2002, 11:55:54 AM, you wrote:
SK>   pass out quick on $dmz_if proto tcp from $internal_net to $dmz_net \
SK>   flags S keep state 
Using flags S means filtering ECN. Which is a bad thing. Use S/SAFRUP
instead. This was not a problem until 3.2 (I think, may be 3.1)
because PF didn't supported ecn (or the kernel, or both, I made the
jump from 3.0 to 3.2, so I don't really know what happened in the
middle).
-- 
Best regards,
 Alejandro Belluscio