:Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
:
:In OpenBSD 4.1 and later, the default flags S/SA are applied to all TCP
:filter rules.
:
:Since OpenBSD 4.1, "keep state" is also the default.
:
:Cedric

    I found the code.  NetBSD hasn't seemed to have adopted that change.

    I'm not sure I want to adopt the keep state by default on pass
    rules but S/SA clearly must be adopted and its default modified by
    the new options (i.e. S/SA set by default (also for 'nopickups'),
    and not set if 'pickups' or 'hashonly' since we want to pickup the
    stream in the middle for the latter two.

    Some of this stuff is starting to look a little overboard.  I can see
    having keep state on as a default if it didn't have such an adverse
    effect on existing TCP streams on reboot, but it does and because it
    does I don't think I want it turned on as a default in DragonFly.  

    Or, alternatively, we could turn it on by default in DragonFly but
    as 'hashonly' unless a keep state directive is explicitly specified
    in the rule.  But then issues pop up where the administrator might not
    have wanted keep state for everything due to extreme volumes and doing
    that could blow out the areas he DID want keep state on.  So, right now,
    I'm inclined not to turn on keep state by default if it isn't specified
    in the rule.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>