On Fri, Feb 08, 2008 at 03:37:33PM +0700, Dmitry Medvedev wrote: > Is that correct behavior what we need to specify "keep state", which > is should be by default? or I miss something?
Yes, this is the correct behaviour when you're trying to set state tracking options. In the pf.conf(5) manpage: STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per- rule basis. keep state, modulate state and synproxy state support these options, and keep state must be specified explicitly to apply options to a rule. -Ryan
