Thanks for your answer. The disturbing thing for me was that I work on several firewalls, and some have the flags S/SA keep state options, and some not… so as I’m quite new to pf I was really wondering.
f.g. > Le 22 oct. 2018 à 17:09, Daniel Corbe <dco...@hammerfiber.com> a écrit : > > at 10:04 AM, Frédéric Goudal <frederic.gou...@bordeaux-inp.fr> wrote: > >> - is there any reason to add keep state to a pass rule ? > > 1) UDP rules don’t keep state by default. > > 2) Even for TCP connections, it’s better to explicitly throw a keep state on > there for clarity, so that people who come in behind you and actually bother > reading the documentation don’t have to ask the same question. There’s also > other available options for TCP connections that you might want to look into, > such as flags S/SA (only allow initial handshake between endpoints that don’t > have an established state) and modulate state, which generates strong, random > ISNs for new connections. > > > > > >
