>> So, single state entry affects traffic on single interface only ? > It is little a bit different than that.
> A state also has a 'direction' associated with it. > So, a state matches either incoming or outgoing traffic. > As long as the direction matches, the interface does not > really matter. > Sometimes, rarely, you have to enforce the interface > (usually only useful for IPSec (enc0) traffic) this is > what the ifbound states (check pf.conf man page) are for. Thank you very much for comprehensive explanation. I totally miss, that state entry uses gateway-related direction to match packets. *reading manuals one more time* > Keep in mind that address translation is done before > matching rules. NAT changes the source and always done at the > outgoing interface. RDR changes destination, at the incoming interface. yes, I learnt it after 3.1 migration :) > Actually, once you are comfortable with states, queueing is > very flexible and powerful. Looks like, it's time to learn PF-usage again ...
