On 2018-10-22, Daniel Corbe <dco...@hammerfiber.com> wrote: > at 10:04 AM, Frédéric Goudal <frederic.gou...@bordeaux-inp.fr> wrote: > >> - is there any reason to add keep state to a pass rule ? > > 1) UDP rules don’t keep state by default.
That's not correct. > 2) Even for TCP connections, it’s better to explicitly throw a keep state > on there for clarity, so that people who come in behind you and actually > bother reading the documentation don’t have to ask the same question. > There’s also other available options for TCP connections that you might > want to look into, such as flags S/SA (only allow initial handshake between > endpoints that don’t have an established state) and modulate state, which > generates strong, random ISNs for new connections. "flags s/sa" is done by default, unless overridden with a different "flags" setting. It's down to personal opinion but I don't find that adding boilerplate to every "pass" rule makes things any more clear..