On Wed, Jan 24, 2007 at 02:39:42PM -0600, Travers Buda wrote: > Last time I checked though, clients only talk with the web server on > port 80. So, the only reason you would want to keep state would be if > you have a ruleset like block out all (which is generally only usefull > if you don't trust the users of said machine.) So, just unconditionally > pass port 80 traffic in both directions.
But then your firewall doesn't protect your webservers from SYN floods and sequence number guessing attacks. See "synproxy state" in pf.conf(5)