I just upgraded my kernel from a circa-July 2.0_BETA to 2.0_RC1 
(userland, too), and discovered I could no longer ping myself from 
outside, despite the following rule near the top of my ipf.conf:

pass in quick proto icmp from any to any

A little more searching revealed this line near the bottom of my file:

pass out quick on tlp1 proto icmp from any to any keep state keep frags

....so I enabled logging on both of those lines to help me figure out 
more about what was going on, and saw lines like this from ipmon for 
each packet:

Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.643999 tlp1 @0:2 p 
lychee.tastylime.net[199.233.217.35] -> 
adsl-66-124-71-68.dsl.sntc01.pacbell.net[66.124.71.68] PR icmp len 20 84 
icmp echo/0 IN
Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.644070 tlp1 @0:3 b 
adsl-66-124-71-68.dsl.sntc01.pacbell.net[66.124.71.68] -> 
lychee.tastylime.net[199.233.217.35] PR icmp len 20 84 icmp echoreply/0 
K-S K-F OUT


so, clearly, the reply packets are being blocked by the outgoing "keep 
state" rule, and sure enough, when I comment that rule out, I can ping 
my machine from outside again.  Strangely enough, pinging from _inside_ 
works whether or not the rule is in place.  (as I expect it should)

My question is:  this obviously changed between ipf 4.1.1 and 4.1.3 (at 
least as realized in 2.0_BETA/RC1, though I chatted with someone on IRC 
who is having a similar issue).  Is this the way it's supposed to work, 
or is something actually broken?  (I suspect the latter)

Thanks,
+j