On Tue, Jan 23, 2007 at 03:23:36PM +0000, Stuart Henderson wrote: > > I don't use flags anywhere in my keep state rules... Are you saying that I > > should use those flags everywhere > > Yes, use them everywhere.
Yep. It turns out that if you don't, your firewall may pick up a TCP connection in the middle, and create a state for it, but certain things about it (I believe the window size) can only be properly interpreted if the firewall saw the SYN (I believe the wscale option), so you will get weird behavior if you don't specify flags S/SA for every keep state on a TCP rule (I believe now you can specify it on other rules, pf is smart enough to ignore them for UDP et. al.) -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
pgpLcACUOiMUz.pgp
Description: PGP signature
