[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf(4) schemantics

On Thu, Mar 20, 2003 at 06:11:28PM +0100, Srebrenko Sehic wrote:
> Sure. However, if you only "block in all", you will end up in situation
> where TCP_RESET for tcp and ICMP_UNREACAHBLE for udp can't get back to the
> source.
these are automagically linked to the state. As long as you keep state
in your pass out rules,  RST and ICMP related to the state will
always make it back to the source regardless of 'block in all'
> Which can make clients 'hang' waiting for a TCP_RESET/ICMP_UNREACHABLE.
> I'll post a ruleset explaining issues I'm having. It _just_ might make
> things clearer.
that would be nice