ipf: interaction of "in" and "out" rules

[Edgar Fuß <ef%math.uni-bonn.de@localhost>]

The fist question is probably stupidly simple if you know the internals.

If I have a (non-quick) ipf rule blocking a packet on the incoming side, 
will a rule on the outgoing side "see" that packet, i.e., is it possible
to over-rule the "block in" decision with a "pass out" rule?


If not (which I would guess to be the case), how do I best handle the following:

I have a gateway machine with (amongst others) an interface in the outside net 
and another in the local DMZ net.

The rules for incoming traffic on the outside interface first block and then 
pass anything to a DMZ address. This is based on the assumption that on the 
servers with an interface in the DMZ, there's another instance of ipf running 
which decides (on the incoming side) whether to block those packets or not.
After that, I need a rule to block the subset of the packets mentioned above 
addressed to the gateway's own interface in the DMZ, because they will not be 
processed by another ipf instance. And finally, I can selectively pass a 
subset of those, i.e. packets from outside to selected ports of the gateway's 
DMZ address.

Now the question is how to handle broad/multicasts to the DMZ net. I may 
want to be able to process a subset of those on another server, where they 
will be blocked and then selectively passed by the local ipf instance. But 
therefore I need to let them pass on the gateway, and then the gateway's own 
DMZ interface will receive them by default (which I don't want).