> As far as the question of using keep-state rules on both the private
> and public interfaces this is cross population of the single
> stateful table and returning packets are being matched to entries in
> the stateful table which do not belong to the interface the original
> enter was posted from. This is an logic error and invalidates the
> function of the purpose of the whole stateful concept.

A logic error is only there is something doesn't work. The proposed
solution works, so there is no logic error. I can't see how the stateful
concept has been invalidated - the mechanism works as intended.  What
you've presented is a matter of opinion rather than any concrete example
as to why the proposed solution is insecure.
