On Tue, Dec 15, 2015 at 9:49 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Tue, Dec 15, 2015 at 09:24:03AM +0000, C. L. Martinez wrote: >> >> I am trying to remove "flags S/SA keep state" for tcp packets inside >> pf.conf and use "keep state" only, as it can do with udp and icmp. > > Why? What is it you're trying to achieve? > > You can override the default flags by specifying a different set or even > 'flags any' but the question remains, why? > > --
Thanks Peter. Sorry for the delay response. I am trying to use divert-packet option inside pf rules to use Suricata/Snort as an IPS. At this moment, I can drop comms when an alert is triggered for udp and icmp packets, but it doesn't works when it is a tcp packet. I was thinking about if "using keep state for udp/icmp rules works, why not for tcp?" But maybe I am totally wrong ...