On Fri, Feb 25, 2011 at 03:05:34PM +0100, Henning Brauer wrote: > * gb10hkzo-na...@yahoo.co.uk <gb10hkzo-na...@yahoo.co.uk> [2011-02-25 13:09]: > > Is there a reason why the > > ability to ue pflow has not been implemented in > > scenarios where "no state" is > > in use. > > yes. > no state is stupid. > and pflow basically exports pf states/ > > > Due to running BGP, using states on the network edge is not a viable > > option for me. > > I don't believe a word. >
If you have more then one edge then stateful filtering will not work since sessions may exit router 1 but enter on router 2 or 3 (and you will not get happy with using pfsync in such a case). So yes, I can see that you can't use pf(4) full pfstates on the edge. I guess sloppy states may be an option... -- :wq Claudio
