ipf rules

[oisleyen]

Hi all,

I have a state table problem. I am writing a rule to connect (rule is below) but I don't want to write a state table for this connection (rule). [ ? - Mod. ]

pass out quick on ep0 proto tcp from <ip_adress> to any keep state.

How can I solve this problem?

 

[SirDice]

If you don't want to "keep state" try removing the "keep state".

 

[oisleyen]

You are right but I have tried a lot of rules, one of them is that. Maybe, this problem could solve another rules.

 

[SirDice]

What exactly are you trying to do?

 

[oisleyen]

The connection has a TTL (connecting time) value in the state table. The connection stayed in the state table when the TTL was negative, therefore the state table capacity was filled. I can not change the TTL value because it is not possible in this case. So, I am searching another solution with ipf rules or other to solve this problem.

 

[SirDice]

I would suggest using PF instead, the syntax is almost the same so it should be relatively easy to migrate. IPFilter hasn't seen an update in eons.

 

[kpa]

What kind of traffic are we talking about? UDP? If it's UDP and the states are timing out soon you could use PF and increase the timeout options to suitable values. Also using no state on UDP connections is not recommended because you then open up all kinds of possibilities for spoofing attacks.

 

[oisleyen]

Unfortunately, I can not use PF because our product works with IPF. How can I solve this problem without IPF rules? What's your opinion?

Thanks and regards.