[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stateful filters affect queue filters



On Wednesday, Jul 23, 2003, at 03:36 US/Pacific, Mark Bojara wrote:

I understand what you mean but this is only for a outgoing connection with keepstated incoming. If another completely different incoming connection gets established then since it did not orignate as a outgoing connection the keep state will not apply.

I don't follow. If all of your rules specify queues, then the queues will apply. Is there a case where you don't want to specify queues that I missed?


On Wed, 23 Jul 2003, Trevor Talbot wrote:

On Tuesday, Jul 22, 2003, at 23:46 US/Pacific, Mark Bojara wrote:

Thanks for the advice, Ive tried to have one rule to catch both directions but if it is outgoing traffic then the keepstate will automatically allocate the incoming packets that are comming back to the same queue. But if the request originated from a incoming request there is no way possible that the same outgoing queue will work for that traffic.

Anyway, the tagging in the state entry happens no matter which direction the packet is traveling. Thus, when you create a state on an inbound packet, the queue tag will only matter for reply packets (going back out on that interface). The inbound packets will still be tagged, but the tags don't match any queue on the interface they go out on, so nothing happens. Meanwhile, you also have a rule to create state out on that other interface, and that queue tag does apply.

You should keep the one-rule-per-interface setup, i.e. "pass in on $i01", "pass out on $i03". You should also set each rule to use the appropriate queue on that same interface, no matter which direction the rule is for.