--lRF4gxo9Z9M++D0O
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 18, 2005 at 05:55:03PM +1100, Daniel Carosone wrote:
> On Fri, Feb 18, 2005 at 12:22:14AM -0500, Miles Nordin wrote:
> > Have you actually tried this, or just read about it? =20
>=20
> I have used this, at odd random times, as a temporary measure to work
> around odd random problems or for odd random experiments.  I have not
> used it heavily, regularly, or even recently.

I should note that the only problem I've had with it, and the reason I
don't use it regularly in a permanent ruleset, is a poor interaction
with keep-state.  I'd *like* to use this for policy routing over
several outbound connections.  I think I remember that I can for
sessions I initiate outbound, because keep-state remembers the
fastroute, but perhaps that wasn't working right at the time either,
my memory is hazy.  However, even if that's fine, it's no good for
directing the replies for sessions I accept inbound, because there is
(was?) no way to specify interfaces and fastroutes in the state for
packets in the reverse direction.

At the time I considered allowing raw syn packets in, and a second
keep-state fastroute rule matching the syn+ack packets outbound, but
decided that would just make too much mess of the ruleset.  This was
all some time and several ipf revisions ago.

--
Dan.
--lRF4gxo9Z9M++D0O
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)

iD8DBQFCFZeqEAVxvV4N66cRAkZyAKCk3DBipIsNJ0nJcIWczeEoo84LwACgsb38
yEpwxpBz3LQ3We/Z1IunUzE=
=5LKT
-----END PGP SIGNATURE-----

--lRF4gxo9Z9M++D0O--