Ok, I changed the above rules into following ones:
pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state
pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA
modulate state
With these rules, pf only keeps state when the SYN flag is set, is that
right?
Not precisely.
TCP Flags are SYN, ACK, FIN, PSH, RST, URG.
'flags S/SA' means:
Just look at the flags SYN and ACK and assure only SYN is set.
So it'll accept malformed packets such as flags SYN|FIN|RST set but
this is another story.
