Hi folks,
from a previous thread on this list I learned that
"keep state (no-sync)" should be added to all rules
concerning either a local service or local client
running on the gateway itself.
Esp. when you do nat this becomes pretty error-prone.
Its easy to forget.
AFAICS something like
match out from self to any keep state (no-sync)
match out on $ext_if inet nat-to ($ext_if:0)
is not allowed ("keep state is great, but only for pass
rules"). Is there some other way to avoid a lot of
"keep state (no-sync)" statements?
Any helpful comment would be highly appreciated.
Regards
Harri
