On Fri, Jan 22, 2010 at 11:17:47AM +0000, Stuart Henderson wrote:
> On 2010-01-22, leonardo fabian <lnrd...@gmail.com> wrote:
> > Hi all,
> >
> > As an internet service provider, we have bgp peering with customers.
> > they also have bgp peering with other isp.
> >
> > the problem is if they use tcp window scaling and
> > have different path for incoming and outgoing connection.
> > they only use our connection for incoming traffic.
> >
> > how do pf handle this kind of traffic?
> > should i disable pf?
>
> you can't reliably use stateful pf rules unless you see both
> sides of the connection. this is particularly noticable if window
> scaling is used (i.e. tcp window size of 65536 and up).
>
> you could disable pf, or you could use stateless rules ("flags any
> no state") to pass traffic to other machines (stateful rules will be
> ok to protect traffic to the router itself).
>
Or use sloppy states...
I generally do not filter on core routers because of the asymetric
routing. Stateless filtering works OK to block the martians and other
unwanted traffic at the boarder but keep the ruleset as minimal as
possible.
--
:wq Claudio
