On Wed, Dec 13, 2006 at 04:10:44PM -0800, Michael K. Smith - Adhost wrote: > Hummm I'm not sure....the term <established> is (IMHO) used by CISCO > ACL, > and it's mean all IP packet is a response from inside.
Ah, so it's not really stateful filtering (where the firewall keeps track of which connections have been established), but merely syntactic sugar for filtering based on TCP flags (pass non-SYN packets, and only filter SYNs, assuming that when the SYN is not passed, passing non-SYNs is harmless). If you want to do that (i.e. filter statelessly) with pf, you can, but then you wouldn't use 'keep state' at all. Look at the 'flags' option in pf.conf(5). Daniel
