On Wed, Aug 16, 2006 at 02:04:32PM -0700, George Pontis wrote: > pass in quick on $int_if \ > route-to ($ext_if2 $ext_gw2) \ > inet proto tcp from 192.168.1.120 to any flags S/SA \ > keep state (floating) \
You seem to be assuming that a floating state created on $int_if will match packets on fxp0 (presumably $ext_if). That's simply not the case. More details can be found in http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238 In short, you need a "pass out on fxp0 ... keep state" rule for those connections, and you'll get TWO states per connection. Daniel
