Folks, I know that this is a Q for the ipfilter mailing list,
but I posted there this morning and I am being impatient:)
With that said, this is what I posted to the ipfilter mailing
list this morning:

Folks,

It looks like I have all the networking issues resolved and
now I just have to tighten down the hatch.  What I have is
a firewall with three NIC's:

iy0 --> external
ex0 --> private network
ex1 --> server network

I have both the private network and server network protected
from the Internet protected from the Internet.  I don't have
the private network or Internet protected from the server
network, nor the server network protected from the private
network.

First the Server network:

The only service on the server network that need to initiate a
connection outside the server network is to the SMTP relay.  I   
want to stop any initiating connection from getting out of the
server network.  I current have this rule to allow connections
into my web server:

pass in quick on iy0 proto tcp from any to (server address)/32
port = 80 flags S keep state

Without recard for the outgoing SMTP connection, is it now
possible to simply do a 'block in on ex1 all'?  Will the keep
state of the rule above allow the reply to get out?

It is my understanding that I will need to have a pass in on
ex1 rule for every SMTP relay server which my servers need to
talk to.

Finally the private network:

As it stands now, any and all connections are routed from the
private network to the server network.  I would like to enact
the same set of rules on the private network as there are on
the Internet, only allowing a few types of connections.

Should I simply copy the 'pass in on iy0' rules and change the
interface to ex0, or should everything be once once on ex1?
Or should I have rules for both?

Thanks for the help!

Sam