Michael Powell wrote: > > > > With my example ruleset below, where would you put the keep-state > > option? > > > > > > 00100 divert 8668 ip from any to table(1) out via rl0 > > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 > > 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 > > 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 > > > > 00500 divert 8668 ip from table(1) to any in via rl0 > > 00600 check-state > ^^^^^^^^^^^ > Yes - the check-state line is required first in order to make use of the > keep-state line later in the ruleset. > > 00650 allow ip from table(1) to any in via rl0 keep-state
It should be "out" here, not "in", because I want to permit outbound traffic and corresponding return traffic. You might think of something like 650 allow ip from any to table(1) out via rl0 keep-state However, if we place the "keep-state" rule at 650, only already diverted packets will reach it, and it will be useless because the src address will already have become the public one. I need a rule which would permit return traffic to the RFC1913 hosts (i.e. after dealiasing). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"