On Wed, Jun 15, 2005 at 07:09:32AM +0200, Nino Dehne wrote:
> 1) Should pf update state entries which are the result of a rule with
> "dynamic" address syntax?

You mean automagically? I don't think it can easily done that - for example
I have a fixed IP on my pppoe0 interface, but the stupid DSL provider 
disconnects the link after 24h - it gets back up imediately, with the same
IP and I'm glad nothing killed any state in between.

This, of course, could be configurable.

> 2) Should state entries remain flushable even with securelevel 2?

Maybe we could allow this (via a sysctl setting unchangeable at 
securelevel > 1) optionally.

Martin