On 01/08/2009 13:48, Jussi Peltola wrote:
pass quick on $PFSYNCIF inet proto pfsync from $PFSYNCALLOW keep state
pass quick on $INTIF inet proto carp from $CARPALLOW keep state
IIRC you should use keep state (no-sync) here since these aren't very
meaningful on the other fw
I'm gonna have a look at this.
I'm not sure if I see a typical border filtering scheme (maybe I didn't
read carefully enough), you'll want to drop:
* Packets not from you (your advertised prefix) to your ISP, probably
also log these (even though your ISP should drop them, they might
not[1] and you really want to know about them)
True.
* Packets from you from your ISP, they are not you. Logging these should
be interesting, too.
I'm gonna add this.
* Probably also: packets not addressed to you from your ISP
Thanks for your input and advice.
I'm reworking the pf config and will post the updates once the file is
clean.
