Daniel Corbe(dco...@hammerfiber.com) on 2018.10.22 11:09:08 -0400:
> at 10:04 AM, Fr??d??ric Goudal <frederic.gou...@bordeaux-inp.fr> wrote:
>
> >- is there any reason to add keep state to a pass rule ?
Only if you want to use one of the "Stateful Tracking Options" (see
pf.conf(5)).
For example, to add no-sync (dont send the state via pfsync(4)) you would
add "keep state (no-sync)" to a rule:
pass in proto tcp from any to any
port www keep state (no-sync)
(Of course you would only consider this if you actually have a pfsync(4)
interface configured).
> 1) UDP rules don???t keep state by default.
Yes, they do.
> 2) Even for TCP connections, it???s better to explicitly throw a keep state
> on there for clarity, so that people who come in behind you and actually
> bother reading the documentation don???t have to ask the same question.
Thats a matter of taste, but i prefer not to read and write a useless
"keep state" on every line.
> There???s also other available options for TCP connections that you might
> want to look into, such as flags S/SA (only allow initial handshake between
> endpoints that don???t have an established state)
which is the default too.
> and modulate state, which generates strong, random ISNs for new connections.
>
>
>
>
>
--
