On Mon, Jul 30, 2007 at 05:46:34AM -0700, Juhani wrote: > As far as I undrestood from the kernel source glimpse the <- and -> in > pfctl -ss mean PF_IN and PF_OUT. So although you have not limited the rules > to a specific interface there happens something similar to tcp "src" and > "dst" ports get turned the wrong way. Perhaps there are other reasons why > only one rule won't work.
Last time I looked into this, when forwarding packets statefully *through* a firewall you needed two states: one for inbound packets, and one for outbound packets. See thread around http://marc.info/?l=openbsd-misc&m=116903927311635&w=2 So, whilst a state can be "floating", i.e. not bound to any interface, you still need one for in and one for out. I don't think "floating" is intended to minimise the number of states; I presume it's just to allow for networks which load-share across multiple paths. However, this is just my understanding of things from a user point of view, which may very well be flawed. Someone with a knowledge of pf internals could give a more authoritative answer. Regards, Brian.
