On So, 17 Okt 2004, Oliver Humpage wrote:
State only works on the interface on which it was created. You will need another keep state rule on the external interface allowing packets out.
pf.conf(5) says that state is floating by default. So in my opinion it should not be necessary to add an additional pass out rule.
States always match address pairs directionally. Even though "floating" is not physically tied to an interface, the packets on the external interface will be "going the wrong way" with respect to their addresses, and won't match state. This makes floating behave as if it were bound to an interface in most cases. The situations where floating vs if-bound matter tend to be subtle.
While Oliver's statement may not be technically accurate, it's close enough for this scenario.
