On 2015-12-15, C. L. Martinez <carlopm...@gmail.com> wrote: > On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg ><david.dahlb...@fkie.fraunhofer.de> wrote: >> Am Dienstag, den 15.12.2015, 09:24 +0000 schrieb C. L. Martinez: >>> I am trying to remove "flags S/SA keep state" for tcp packets inside >>> pf.conf and use "keep state" only, as it can do with udp and icmp. >>> >>> According to pf.conf man page, this is possible inserting "no state" >>> in tcp rule, but I can't use keep state. >> >> "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking >> Options"), but it is not mentioned as often as it is the default. >> >> IOW: If you have not changed the default options, you you may simply >> remove "flags S/SA keep state" string without changing mutch (except >> that it might now also match UDP/ICMP). >> > > Thanks David. I have not changed any default options but I can't see > how can I remove these flags ... I have tried with "flags any keep > state" without result. If I use "no state", packets are rejected ...
"flags any no state" does remove the "flags s/sa" from the rule. If that doesn't help then perhaps that's not what the problem is.
