On Mon, May 13, 2002 at 01:55:14PM -0700, Monroe Williams wrote:
> on 5/13/02 1:42 PM, Manuel Bouyer at bouyer@antioche.eu.org wrote:
> 
> > On Tue, May 07, 2002 at 08:35:49PM -0700, Monroe Williams wrote:
> >> 
> >> I'm using the "keep state" rules on an ipf firewall, and I think I must be
> >> missing something.
> >> 
> >> When using the rules:
> >> 
> >> pass out quick on ex0 proto udp from any to any keep state
> >> pass out quick on ex0 proto icmp from any to any keep state
> >> 
> >> it appears that every packet that passes out on the interface creates a new
> >> state table entry.  For example, running ping for a short while on a
> > 
> > Maybe try something like this:
> > pass out first quick on ex0 proto udp from any to any keep state
> > pass out quick on ex0 proto udp from any to any keep state
> > pass out first quick on ex0 proto icmp from any to any keep state
> > pass out quick on ex0 proto icmp from any to any keep state
> > 
> > This works for me, on 1.5.2
> 
> Are you sure?  with these rules:
> 
> pass out first quick on ex0 proto icmp from any to any keep state
> ...
> pass out first quick on ex2 proto icmp from any to any keep state
> 
> I get:
> 
> [root@gate etc]# /etc/rc.d/ipfilter reload
> Reloading ipfilter rules.
> 36: unexpected keyword (first) - from
> 51: unexpected keyword (first) - from
> Set 0 now inactive
> [root@gate etc]#
> 
> Looking at the man page, it appears that the "first" keyword is only meant
> to be used with the "log" action or option.

Indeed I use it with the log option:
pass out log first quick on ex0 proto icmp from any to any keep state

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--