at 10:04 AM, Frédéric Goudal <frederic.gou...@bordeaux-inp.fr> wrote:
- is there any reason to add keep state to a pass rule ?
1) UDP rules don’t keep state by default.
2) Even for TCP connections, it’s better to explicitly throw a keep state
on there for clarity, so that people who come in behind you and actually
bother reading the documentation don’t have to ask the same question.
There’s also other available options for TCP connections that you might
want to look into, such as flags S/SA (only allow initial handshake between
endpoints that don’t have an established state) and modulate state, which
generates strong, random ISNs for new connections.