The "Passing Traffic" example at
http://www.openbsd.org/faq/pf/filter.html
doesn't seem to be completely accurate.
# Pass traffic in on dc0 from the local network, 192.168.0.0/24,
# to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
# return traffic out on dc0.
pass in on dc0 from 192.168.0.0/24 to 192.168.0.1
pass out on dc0 from 192.168.0.1 to 192.168.0.0/24
It's the "return" that bugs me: the first rule alone
makes the _return_ traffic be passed. The second
rule allows traffic that originates (creates state)
on the way out. Right?
