On 2006/08/27 15:23, Joachim Schipper wrote:
> > pass in log on $ext_if inet proto tcp from any to ($ext_if) \
> > port $tcp_services flags S/SA keep state
>
> Also, the flags directive is redundant with scrub, unless I am mistaken.

Where you're using a standard PF setup using stateful filtering
you want `flags S/SA keep state' on _every_ tcp pass rule, or you can
end up with state sync'd to non-initial packets, causing problems
with OS using TCP window-scaling.

(PF checks that TCP sequence numbers are within reasonable bounds;
to know what bounds are OK, it needs to know what window-scaling
options were negotiated in the 3-way handshake; state created from
an existing connection [i.e. packet without SYN set] does not have
the information to determine this).