Re: make "keep state (no-sync)" the default?

2011-02-04 Thread Kurt Mosiejczuk 

Henning Brauer wrote:

* Harald Dunkel  [2011-02-04 14:31]:

Is there some other way to avoid a lot of "keep state (no-sync)"
statements?


is there some other way to make people READ the fucking mnapages we
put so much effort in?


If you figure that out, I think you'll be a very rich man.

--Kurt

Re: make "keep state (no-sync)" the default?

2011-02-04 Thread Kurt Mosiejczuk 

Kevin Chadwick wrote:

On Fri, 4 Feb 2011 18:56:28 +0100
Henning Brauer  wrote:



is there some other way to make people READ the fucking mnapages we
put so much effort in?



laser etcher + contact lens and super glue


I'm positive that that still won't work for some folks.

--Kurt

Re: make "keep state (no-sync)" the default?

2011-02-04 Thread Kevin Chadwick 
On Fri, 4 Feb 2011 18:56:28 +0100
Henning Brauer  wrote:

> is there some other way to make people READ the fucking mnapages we
> put so much effort in?

laser etcher + contact lens and super glue

Re: make "keep state (no-sync)" the default?

2011-02-04 Thread Daniel Gracia 

El 04/02/2011 18:56, Henning Brauer escribis:

* Harald Dunkel  [2011-02-04 14:31]:

Is there some other way to avoid a lot of "keep state (no-sync)"
statements?


is there some other way to make people READ the fucking mnapages we
put so much effort in?



You're talking nonsense; of course no!

PD: Some of us don't forget that udp mode, non-forking, non-blocking 
mods for tcpbench... I must stop slacking! xDDD

Re: make "keep state (no-sync)" the default?

2011-02-04 Thread Henning Brauer 
* Harald Dunkel  [2011-02-04 14:31]:
> Is there some other way to avoid a lot of "keep state (no-sync)"
> statements?

is there some other way to make people READ the fucking mnapages we
put so much effort in?

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

make "keep state (no-sync)" the default?

2011-02-04 Thread Harald Dunkel 
Hi folks,

from a previous thread on this list I learned that
"keep state (no-sync)" should be added to all rules
concerning either a local service or local client
running on the gateway itself.

Esp. when you do nat this becomes pretty error-prone.
Its easy to forget.

AFAICS something like

match out from self to any keep state (no-sync)
match out on $ext_if inet nat-to ($ext_if:0)

is not allowed ("keep state is great, but only for pass
rules"). Is there some other way to avoid a lot of
"keep state (no-sync)" statements?

Any helpful comment would be highly appreciated.


Regards

Harri