Hi, As far as I undrestand you are trying to limit the amount of firewall rules, that means you won't have to write a specific outbound rule.
As far as I undrestood from the kernel source glimpse the <- and -> in pfctl -ss mean PF_IN and PF_OUT. So although you have not limited the rules to a specific interface there happens something similar to tcp "src" and "dst" ports get turned the wrong way. Perhaps there are other reasons why only one rule won't work. I saw no mention in state table lookups to policy if-bound, only one standard check. My undrestanding is that you must have two entries in state table for the packet to pass through the router/fw, but I am unable to tell, if the second entry can be autogenerated. This is as much as I undrestood from the glimpse to the kernel source. Other and perhaps more simple solution would be pass out all and filter only on pass in (that means you trust what is already inside). At the present moment I am unable to check that idea for flaws, I would go that way. Juhani -- View this message in context: http://www.nabble.com/how-to-confirm-i-am-gaining-advantage-from-floating-state-policy-tf4163808.html#a11863013 Sent from the openbsd user - misc mailing list archive at Nabble.com.
