[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf(4) schemantics



On Thu, Mar 20, 2003 at 09:01:22PM +0100, Srebrenko Sehic wrote:
> On Thu, Mar 20, 2003 at 12:32:50PM -0700, [email protected] wrote: 
> > Okay, I think I'm starting to understand what you want. (because I
> > believe we tossed the idea around at the last hackathon)
> > Basically, you want a state-creating packet to be able to create state
> > on multiple interfaces, like:
> > pass in on $ext_if proto tcp from any to $webserver port 80 \
> >    keep state on {$ext_if $int_if} flags S/SAFR
> > (The way I had envisioned it, this would only occur for the
> > state-creating packet, and it would only do so for the interfaces
> > indicated.)
> > Is this what you mean?
> Yes, thank you. I also still mean that pf(4) should not care about
> packets going 'out' of an interface, only in, but let's kill this
> thread.
I'm close to give up on you wrt to that. SOmehow it seems you don't _want_
to see why the filtering outbond on an interface is so important. I gave a
very good example why that is absolutely needed.
> Or even better, dis the "keep state on {$ext_if $int_if}"; "keep
> state" should be enough, since pf(4) should take care of that.
no way.
see above.
> Now this feature would be _very_ nice.
> Any chance this could be implemented, say post 3.3?
> Henning? Others?
it would be "keep state on { interface-list }", to make that clear.
I don't like the idea too much. I see _very_ little gain, but enough pain.
I mean, it's not knew. We talked about that during c2k2. That is a year ago
soon. If that idea had been so good we would have added it already, no? ;-)
-- 
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)