> no. in practice the state is hammered to the interface, which is a very very
> very good thing (I rely on it for the firewalls in front of the server
> networks here whoch has tons of vlan interfaces. on the external interface I
> do spoof protection - out: src must be from an internal net, in: dest must
> be from an internal net -, on each vlan interface there are rules for
> incoming and outgoing policy, and a packet crossing vlans must go through
> the outbound policy on the source vlan interface and through the inbound
> policy on the destination vlan interface, where inbound and outbound is from
> teh network view and actually reversed when you look at the interface).
Henning and Daniel,
You really got the point. Now everything have sense (I'm feeling me
like a shinning). This description is missing on man pages and PF
howto. Thanks guys.
--
H�lio Alexandre Lopes Loureiro [[EMAIL PROTECTED]]
Regional Software Supply & Integration
South America
Tel.: + 55 11 6224-1795
Public Key ID: FB5972D1@http://search.keyserver.net
