Hello, hoping for some guidance here. Trying to build a firewall system on OpenBSD.
It appears that PF has a fundamental design problem for high-security environments. When you allow creating new states for LAN -> WAN traffic, and subsequently need to filter the return packets, that is simply impossible. For example: you execute a traceroute and the middle hops have RFC1918 IPs. As a general rule of thumb, you should filter RFC1918 sources from your WAN side. Yet, there is no way to acommplish that through PF. One workaround I have found is that you can use a transit rdomain which is stateless - you can then filter per-packet and achieve the desired behavior. The caveat: increased CPU usage, less throughput. What is the established way to handle this on OpenBSD - if there is one at all?
