On 2010-01-22, leonardo fabian <lnrd...@gmail.com> wrote:
> Hi all,
>
> As an internet service provider, we have bgp peering with customers.
> they also have bgp peering with other isp.
>
> the problem is if they use tcp window scaling and
> have different path for incoming and outgoing connection.
> they only use our connection for incoming traffic.
>
> how do pf handle this kind of traffic?
> should i disable pf?
you can't reliably use stateful pf rules unless you see both
sides of the connection. this is particularly noticable if window
scaling is used (i.e. tcp window size of 65536 and up).
you could disable pf, or you could use stateless rules ("flags any
no state") to pass traffic to other machines (stateful rules will be
ok to protect traffic to the router itself).
