On Wed, 14 Feb 2007, Tim Kuhlman wrote:
[snip]
> So what is happening? It seems to me that either pf is broken or his linux
> kernel is broken and pf is catching it. Any ideas as to which is the cause?
>
> One other point I needs some clarification on, in my searching around I did
> find an article saying that you need the "flags S/SA" everytime you use keep
> state for tcp connections in your firewall rules. This didn't seem right to
> me but I tried it anyway just to see and it had no affect. What is the final
> word on this, should you always use "flags S/SA"?
Not always, but very often. The main rule is to make sure that the
packet creating the state is not a packet of an already established
connection, but a packet creating the connection. Creating the state
from the beginning allows pf to get the info about the window scaling
and other tcp options used.
Using flags S/SA keep state is the easiest way to achieve that. Note
that on current, this is the default.
-Otto
