pfctl - Change default keep-policy to bring more in-line with other BSDs
* Change the default keep-policy to the equivalent of:
set keep-policy keep state (pickups, sloppy)
* This is being done because without keep state PF is simply going to be
too inefficient for any reasonable set of rules, and we no longer want
to make users set the keep-policy line when keep state is already the
default in other BSD systems.
* Note that we also set pickups and sloppy by default. This allows the
router and/or PF to be restarted and allows packet routing to change
mid-stream without causing all active TCP connections to drop. This
may not be the default in other BSD systems but it should be. Being
ultra strict here to improve security against ICMP-based attacks removes
too much flexibility to be appropriate. Proper TCP implementations
already do sequence space checks for RST packets.
sephe's projects / dragonfly.git / commit