Since several years the
flags S/SA has become the default.
A simple sample ruleset to protect a OpenBSD host from it's Windows peers in the LAN:
Code:
EXT=re0
TCPservices = "{ www https domain }"
UDPservices = "{ domain }"
set skip on lo0
block log all
pass out quick on $EXT inet proto tcp from $EXT to any port $TCPservices
pass out quick on $EXT inet proto udp from $EXT to any port $UDPservices
As you can see neither a
keep state nor a
flags S/SA used.
A test load of the rules shows:
Code:
# pfctl -vvnf block-all.pf
EXT = "re0"
TCPservices = "{ www https domain }"
UDPservices = "{ domain }"
set skip on { lo0 }
@0 block drop log all
@1 pass out quick on re0 inet proto tcp from 192.168.222.20 to any port = www flags S/SA keep state
@2 pass out quick on re0 inet proto tcp from 192.168.222.20 to any port = https flags S/SA keep state
@3 pass out quick on re0 inet proto tcp from 192.168.222.20 to any port = domain flags S/SA keep state
@4 pass out quick on re0 inet proto udp from 192.168.222.20 to any port = domain keep state
As you can see pf has automatically added all the necessary
keep state stuff.