hello, i have a problem with rdr:
i have a default block policy, i can recognize incoming rdr packets by tags given to them in 'rdr' line, but i don't know about any way to spot replies to these rdr requests. the whole problem is that i want to use if-bound states, because i need to limit both downstream and upstream of rdr'ed packets. if i use floating states, the problem will go away, but then i could only queue one-way communication. i was thinking about allowing rdr 'replies' incoming on $int_if by specifying protocol, 'from' address and the port, but then one can craft connection with given port and connect even though rdr isn't established by the other side. i was also thinking about synproxy and blocking S/SA 'replies' on $int_if establishing a state, but udp are stateless :-( any ideas? is there a way to tag whole connection, or queue both upstream and downstream with floating keep state rule? regards, -- Stanisław Halik :: http://weirdo.ltd.pl
