On 2006/08/27 15:23, Joachim Schipper wrote: > > pass in log on $ext_if inet proto tcp from any to ($ext_if) \ > > port $tcp_services flags S/SA keep state > > Also, the flags directive is redundant with scrub, unless I am mistaken.
Where you're using a standard PF setup using stateful filtering you want `flags S/SA keep state' on _every_ tcp pass rule, or you can end up with state sync'd to non-initial packets, causing problems with OS using TCP window-scaling. (PF checks that TCP sequence numbers are within reasonable bounds; to know what bounds are OK, it needs to know what window-scaling options were negotiated in the 3-way handshake; state created from an existing connection [i.e. packet without SYN set] does not have the information to determine this).
