* Claudio Jeker <cje...@diehard.n-r-g.com> [2011-02-25 15:56]: > On Fri, Feb 25, 2011 at 03:05:34PM +0100, Henning Brauer wrote: > > * gb10hkzo-na...@yahoo.co.uk <gb10hkzo-na...@yahoo.co.uk> [2011-02-25 > > 13:09]: > > > Is there a reason why the > > > ability to ue pflow has not been implemented in > > > scenarios where "no state" is > > > in use. > > > > yes. > > no state is stupid. > > and pflow basically exports pf states/ > > > > > Due to running BGP, using states on the network edge is not a viable > > > option for me. > > > > I don't believe a word. > > > > If you have more then one edge then stateful filtering will not work since > sessions may exit router 1 but enter on router 2 or 3 (and you will not > get happy with using pfsync in such a case).
tell news ;) > So yes, I can see that you can't use pf(4) full pfstates on the edge. > I guess sloppy states may be an option... exactly, that's what sloppy states are for. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
