在 freebsd pf 上阻止未建立连接的数据包

对于 freebsd pf 防火墙；我希望它阻止未建立连接的数据包。例如，攻击者不应为未知的尚未建立的连接发送重置数据包。

在 Linux 中很容易做到

-d targethost -m state --state NEW -j ACCEPT
-m state --state RELATED,ESTABLISHED -j ACCEPT

这将允许建立新的状态，并阻止除已建立状态 (ESTABLISHED) 的数据包之外的任何其他内容

我认为 freebsd pf 也应该这样工作。pf 有这样的功能吗？您认为下面的规则集应该允许未建立连接的重置数据包吗？

# pfctl -sr -vvv
@0 pass in log (all) quick from <administrators:4> to any flags S/SA synproxy state
  [ Evaluations: 423       Packets: 0         Bytes: 0           States: 4     ]
  [ Inserted: uid 0 pid 25567 State Creations: 4     ]
@1 block drop log (all) quick inet6 all
  [ Evaluations: 419       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25567 State Creations: 0     ]
@2 block drop log (all) quick from <blacklist:0> to any
  [ Evaluations: 419       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25567 State Creations: 0     ]
@3 pass log (all) quick all flags S/SA keep state
  [ Evaluations: 419       Packets: 103       Bytes: 10941       States: 15    ]
  [ Inserted: uid 0 pid 25567 State Creations: 19    ]

tcpdump -i pflog0 不会接受（传递或阻止）发往防火墙后面的主机的重置数据包。