On Tue, 10 Jan 2006 18:26:23 +0000 (GMT)
David Brownlee <abs@absd.org> wrote:

[snip]
>      pass out quick on $extif to $altif:$altgip proto tcp from $extip to any flags S keep state
> 
>  	This all works very well, any traffic from the internal hosts
>  	goes out via the normal $extif, while web traffic and anything
>  	run directly from the gateway goes via $altif. I could easily
>  	split the "pass out quick on" to a set of port = 80 and similar
>  	rules, but chose not to.
> 
>  	Now, if a tcp connection comes in on $altif to $altip then
>  	the return data always goes out on $extif _from_ $extip.
>  	Is there any way to get that connection's return traffic
>  	to come from the IP addres to which it connected ($altip?)
[snip]

I believe this is possible with exact keep state rules for incoming
traffic too. I.e.:

pass in quick on $altif proto tcp from any to WHAT_YOU_WANT_HERE flags S keep state
pass out quick on $extif to $altif:$altgip proto tcp from $extip to any flags S keep state

In this case dynamic keep state table will be processed before "to
$altif:$altgip" rule.

But I'm not sure :-/

--
Mishka