I've just committed code based on a suggestion made by Daniel Hartmeier to make flags S/SA keep state the default for rules.
NOTE: This does change is in -current only, and does not apply to the 4.0 release. These changes makes pf rulesets significantly cleaner, improving readability. More importantly, it makes the recommended behaviour the default, something that OpenBSD tries to do wherever possible. - Stateful filtering should be used on most rules for performance as well as security reasons, and stateless filtering is by far the exception. - The flags S/SA change ensures that for TCP connections only initial syn packets can match a rule and create a new state. While PF supports creation of state on intermediate packets, it makes application of some security mechanisms impossible, and it makes PF unable to correctly deal with TCP window scaling on the connection. This has increasingly become a problem as more OSs ship with window scaling and increased buffers enabled by default. Most users will not see any consequences of these changes, but there are a few cases where this has impact: * Users who are doing stateless filtering on purpose * Users who expect to be able to flush their state table, fail over without pfsync, or reboot their firewall and have the states recreated from intermediate packets. Users in either of these categories should use the 'no state' and/or 'flags any' options where appropriate to explicitly request the current behaviour of their ruleset. ----- Forwarded message from Ryan Thomas McBride <[EMAIL PROTECTED]> ----- Date: Fri, 6 Oct 2006 04:45:44 -0600 (MDT) From: Ryan Thomas McBride <[EMAIL PROTECTED]> Subject: CVS: cvs.openbsd.org: src To: [EMAIL PROTECTED] X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=ham version=3.1.1 CVSROOT: /cvs Module name: src Changes by: [EMAIL PROTECTED] 2006/10/06 04:45:44 Modified files: sbin/pfctl : parse.y Log message: Make 'flags S/SA keep state' the implicit for filter rules, based on a suggestion from [EMAIL PROTECTED] Also add 'flags any' and 'no state' options to disable flag matching and stateful filtering respectively. IMPORTANT NOTE: Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. If you are purposefully filtering statelessly ('no state') or have a requirement to create states on intermediate packets ('flags any') you should update your ruleset to make use of the new keywords to explicitly request the behaviour. Note that creation of states from intermediate packets in a connection is not recommended, and will increasingly cause problems as more OSs enable window scaling and increase buffer sizes by default. ok dhartmei@ deraadt@ henning@ ----- End forwarded message ----- --