On 2006/12/04 14:02, Axel Rau wrote: > If "flags S/SA" would just be ignored by none-tcp packets, I would be > happy. > But the man page says: > "This rule only applies to TCP packets that have the flags <a> set > out of set <b>." > This means to me: all none-tcp packets are ignored by this rule.
for non-TCP packets, 'flags S/SA' is not used. therefore, you can use 'pass any flags S/SA' and it will pass all ICMP, all UDP, and TCP connection setup packets, but will not pass TCP mid-session packets.