> just tell it to be, tack this onto the end of the entry:
> 
>  . . . keep state

Does "keep state" now work well enough to use?

I tried to have a block-all ruleset with holes punched for traffic
that originated internally.  The outgoing packet would set the state
and the incoming would be allowed back in via the saved state.  The
problem was that ipf would fill up the log file with blocked warnings
from places like "www.foo.com:80->myhost.com:65534".  Clearly the ipf
state wasn't sticking around for the max-ttl of the packet and at
tcp-connection close time the last few stragglers would get blocked
and logged as security problems.  The result was that the logfile so
littered with spurious messages that one couldn't find the intrusion
attempts if one wanted.

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/