* Steve Johnson <[EMAIL PROTECTED]> [2008-05-08 14:57]: > Is the state direction tracking something that changed at one point of the > PF development or has it always been like that?
it has always been like that. it is the only sane thing to do. once you exceed that little 2 interfaces firewall scenario you'll see why... you put policies on interfaces, and anyonegoing fron netA to netB must pass the outbound policy on the netA facing interface and the inbound policy in the netB facing interface (to make things more confusing, the inbound policy is what gets written as "pass ->out<- on... anyway). with the one state covering everything you bypass netB's inbound policy, which is both dangerous and stupid. ipfilter does it that way. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
