On Fri, Jul 28, 2023 at 10:09:31PM +0100, Polarian wrote: > I do have one question, if anyone is willing to answer it, so I have on and > off specified "keep state" depending on when I wrote the rule, but the > following specifies it is the default: > https://www.openbsd.org/faq/pf/filter.html > > So why do a lot of examples I see specify keep state if it is the default, > is there any benefit of specifying it which I am missing?
I would guess that some of the examples are based on something that was written long enough ago that "keep state" was not the default. I personally only add "keep state" when I also need to add state options such as pflow or state tracking options. If you do a "pfctl -vnf /etc/pf.conf" and compare the output to the stored file, you will see that "keep state" and possibly other defaults will be appened (and things like lists of ports generating several rules and so on). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
