pcah8322@artax.karlin.mff.cuni.cz (Pavel Cahyna) writes:
> And in the future , there are plans to integrate ALTQ and pf (work has
> already begun). Right now, the syntax for ALTQ's filters is neither as
> intuitive nor as powerful as the syntax for pf or ipfilter, and it's
> a good idea to not have two filters, one for firewall and other for
> ALTQ. I'm not aware about such project for ipfilter.

How does pf handle state from an outgoing connection that is closing?
Under ipf the state for an outgoing TCP connection appeared to be torn
down as soon as the local side closed the connection.  If the remote
side never got the ack for the fin then it would be retransmitting the
fin for a long time.  Each time the retransmitted packet would bang on
the now closed port on the firewall and be dropped.  If pf handled
that state better and kept the TCP-filter state around for 2xMSL that
would be a vast improvement.

-wolfgang
-- 
The cpu is willing but the powersupply is weak.

spider food: http://www.wsrcc.com/baddream/usenet/
(NOTE: The email address above is valid.  Edit it at your own peril.)