jm,

| A stupid question:

no it isn't :)

| A packet arrives at, say, ep0 and is passed by the ipf "in" rules of ep0.
| The packet is destined to another network behind ep1, and is blocked by
| the "out" rules of ep1.  Unless I'm doing something stupid (like I often
| am), it seems that when the packet is accepted in via ep0, it will auto-
| magically be passed to ep1, even though the "out" rules would block it.

think of it as a router/firewall that makes it easier to understand. if
you think about it, a router only routes what you tell it to (esp
reserved addresses which you must be explicit about). basically when you
say you do not want passed out is more or less black holed or dumped
into the bit bucket.


| I use "quick" and grouping extensively.  The "in" rules of ep0 are part
| of group 100 and they are all "quick" (if the packet is passed, the rest
| of the rules are not checked).  The "out" rules of op1 are part of
| group 450 and they are also "quick".

it is my understanding that quick circumvents previous settings, this is
mainly useful for ppl like myself who prefer to blok all by default and
allow what I need. 

this is actually a good practice, although I have a small setup so I tend
not to group, if you take a look at /usr/share/examples/ipf/ you will find
two really good examples: BASIC_1.FW and BASIC_2.FW in addition to the
online docs previously mentioned.

	jrf


-- 
Jason R. Fink <jrf@diverge.org>