On 02-09-2014 17:12, andy wrote: > So why does; > pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state > > NOT expand out to; > pass out quick on $if_ext tagged T_LAN keep state > pass out quick on $if_ext tagged T_DMZ keep state I didn't tested. But if I recall correctly, that rule will expand exactly as you want them to. But I disagree with you. I think you should separate the rules for the internal network from the dmz. Even if they are physically on the same interface (vlan), they should be on separate rules. You could even use separate anchors with a file for the internal net and another for the dmz. There is a point when too much simplification starts getting into the way of doing things securely. Which is what OpenBSD is all about. If you really, really want to "simplify" your ruleset, you could first write it with security in mind, then use the pf's ruleset optimizer, and then use the optimization as a starting point.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]