Matthew Dillon wrote:
:...
:could even do modulate state or synproxy state as long as you see the
:initial SYN. If not, you fall back to creating a reduced state. This
:option would, of course, also have a setting where it would always just
:create a reduced state and be done with it.
:
:As for the name ... maybe, 'extra-tcp-state' with a possible setting
:of 'on' (default), 'off' and 'force-off' or something like that. This
:could also be a global setting similar to the timeouts which can also be
:set on a per-rule basis.
:
:\ / Max Laier | ICQ #67774661
I came across an interesting item. I believe (but I'm not entirely
sure if I am correct) that NetBSD implies S/SA for TCP keep
state and it no longer needs to be specified in the rule. Is this
correct?
Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
In OpenBSD 4.1 and later, the default flags S/SA are applied to all TCP
filter rules.
Since OpenBSD 4.1, "keep state" is also the default.
Cedric
