On Fri, Jul 28, 2023 at 10:09:31PM +0100, Polarian wrote:
> I do have one question, if anyone is willing to answer it, so I have on and
> off specified "keep state" depending on when I wrote the rule, but the
> following specifies it is the default:
> https://www.openbsd.org/faq/pf/filter.html
> So why do a lot of examples I see specify keep state if it is the default,
> is there any benefit of specifying it which I am missing?

I would guess that some of the examples are based on something that was written
long enough ago that "keep state" was not the default. 

I personally only add "keep state" when I also need to add state options 
such as pflow or state tracking options.

If you do a "pfctl -vnf /etc/pf.conf" and compare the output to the
stored file, you will see that "keep state" and possibly other defaults
will be appened (and things like lists of ports generating several
rules and so on).

- Peter

Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: disconnected after 42673 seconds.

Reply via email to