Hello.  In looking at the pf.conf(5) man page, it looks like you can
set the state policy to either be interface based, group based, or
floating, which is what I think you want.  I'm ot sure about the group
question, but I think the version of pf in NetBSD is new enough to support
groups as well.  I've not joined the pf mailing lists, I probably should,
as I've been able to do what I needed with the supplied documentation and
with a few questions to friends who also use pf.  IN any case, I'm not
advocating a change, just asking the question, as I've been pretty  happy
with it, and I've been somewhat burned by ipf in the past.
-thanks
-Brian
On May 7, 10:15pm, Hauke Fath wrote:
} Subject: Re: IPF 4.1.20
} [problems with ipf and stateful nfs traffic]
} 
} At 8:32 Uhr -0700 7.5.2007, Brian Buhrow wrote:
} >Is switching to pf, as opposed to ipf, an option?
} 
} I thought about that a while back. As it is, I came across three major
} obstacles, two of technical nature, and one of... well, social nature.
} 
} The technical issues are that (a) pf keeps state per-interface (or so I
} understand), whereas ipf state is machine-global. The machine in question
} routes to eight subnets, and pf would considerably increase the number of
} stateful rules per interface. You could probably work around that by
} extensive use of macros, but I find that inflates the namespace and rather
} obscures the rule base. And (b), my current ruleset relies heavily on
} (per-interface) groups, for structuring the ruleset more than performance,
} and pf does not support groups.
} 
} The social issue is that I seem to be emotionally incompatible with what
} appears to be normal tone towards people asking questions on openbsd lists.
} 
} The more I think of it, the more sense it makes to set up a test
} environment, both to reproduce the problems I see outside a production
} environment, and to try out various software.
} 
} 	hauke
} 
} --
} "It's never straight up and down"     (DEVO)
} 
} 
>-- End of excerpt from Hauke Fath