Alright. So if I want speed, I'll keep 'keep state' and put up separate block/pass rules for the xl0 interface aswell, right? Or which way is it normally done?
Regards, Mathias. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Pick Given the rules you've show us, yes. The two rules that say: pass in quick on xl0 proto ... keep state allow packets from your internal network in ***and insert a state-table entry for the packet***. Since the state-table is checked before the rules those packets will be allowed out of xl1 even though the rules say everything is blocked. Also, the *return* packets coming in on xl1 and out on xl0 will also be allowed by the state-table entry. You have *not* set any rules to allow traffic out from the firewall itself on xl1 - so no state-table entry gets made for this traffic and it *is* all blocked. -- David Pick
