[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rdr, queues, tags and block policy

i have a problem with rdr:
i have a default block policy, i can recognize incoming rdr packets by tags
given to them in 'rdr' line, but i don't know about any way to spot replies
to these rdr requests.
the whole problem is that i want to use if-bound states, because i need to
limit both downstream and upstream of rdr'ed packets. if i use floating
states, the problem will go away, but then i could only queue one-way
i was thinking about allowing rdr 'replies' incoming on $int_if by
specifying protocol, 'from' address and the port, but then one can craft
connection with given port and connect even though rdr isn't established by
the other side.
i was also thinking about synproxy and blocking S/SA 'replies' on $int_if
establishing a state, but udp are stateless :-(
any ideas? is there a way to tag whole connection, or queue both upstream
and downstream with floating keep state rule?
Stanisław Halik :: http://weirdo.ltd.pl