Hello, this tiny update to pf.conf(5) has been prompted here [1] on pf mailing list. By default only ICMP queries are allowed to create state in pf(4). The sloppy option relaxes that so also ICMP replies can create a state. I think this should be also mentioned in pf.conf(5)
OK to my suggestion below? thanks and regards sashan [1] https://marc.info/?l=openbsd-pf&m=165160086423472&w=2 --------8<---------------8<---------------8<------------------8<-------- diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index fe4b117994a..7389d231fe2 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -2186,6 +2186,9 @@ It cannot be used with .Cm modulate state or .Cm synproxy state . +The option also relaxes handling of ICMP such that also ICMP replies +are allowed to create state. +By default ICMP queries only are allowed to create state. .It Ar timeout seconds Changes the .Ar timeout