On 4/3/07, Prokofiev S.P. <[EMAIL PROTECTED]> wrote:
Hi ALL! The PF has useful state-policy option: if-bound, group-bound, floating. I have found out IPFW stateful rules do not become attached to the interface and behave as PF stateful rules in floating mode. For example, I build stateful rules (29991,31991) on two interfaces for two different networks. I send a packet "pkt" from a network net_staff1 to a network net_staff2. It creates stateful rule on enter if1, then it gets access to the net_staff2 on output from the if2 by a keep-state 31991 rule. Deny rule 31995 does not work. Has solved this problem by tag and skipto (29990,31990), but it is not absolutely beautiful. Whether other decisions are possible?
I'm still not sure what's your goal. If you want both staff nets to have internet access, and to be isolated from each other then allow "out recv if-staff[12] xmit if-inet" and deny everything else. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
