From 2c9096e015b7f89a3b237b964f8f36c2066f1d98 Mon Sep 17 00:00:00 2001
From: halex <>
Date: Wed, 13 Feb 2013 23:11:14 +0000
Subject: [PATCH] Add a 'block' rule prior to the state creating 'pass' rule.
 This way, TCP packets of e.g. timed out states are blocked rather than passed
 by the implicit default pass rule.

sthen@ benno@ phessler@ mikeb@ agrees
---
 src/etc/pf.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/etc/pf.conf b/src/etc/pf.conf
index da750651..963bd28e 100644
--- a/src/etc/pf.conf
+++ b/src/etc/pf.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.51 2013/01/26 17:12:21 claudio Exp $
+#	$OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
 #
 # See pf.conf(5) for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
@@ -16,7 +16,8 @@ set skip on lo
 # anchor for relayd(8)
 #anchor "relayd/*"
 
-pass		# to establish keep-state
+block		# block stateless traffic
+pass		# establish keep-state
 
 # rules for spamd(8)
 #table <spamd-white> persist