* Otto Moerbeek <[EMAIL PROTECTED]> [2008-05-08 13:47]: > On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote: > > > Thanks for the information. This is the first time that I've used PF as a > > router based firewall and not with NAT. I didn't know that the state was on > > a per interface basis, and not global to the system. So this means that > > unless I want to allow all outbound traffic from my firewall, I need to > > have a matching pass out rule for all the pass in rules for which I want to > > restrict the inbound interface (ie for which I don't want to put just pass > > for)? > > No, states are by default global and not tied to an interface. See man > pf.conf.
now you conusd him even more :) while otto is right, contrary to your belief, the direction of creation is in the state. so given routing doesn't change they are effectively per-interface. it;s just that they can move onto another interfaces if routing changes. for your case, consider skipping filtering on one interface (set skip em5) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam