> However, they do not work with the keep state rules in
> my existing ipf configuration.

Interesting. I have a lot of keep state rules myself and it seems to work 
fine--except in my configuration, my "to" has that interface's gateway, 
not that interfaces IP address. An equivalent in your configuration might 
be something like:

pass out quick on eth0 to eth1:123.123.123.1 proto tcp from 
231.231.231.231/32 to any 

Also, for incoming services I wouldn't use keep state. I'd use just plain 
pass rules, or else a DoS attack will wedge your system from remote 
communication as the state rules fill up. This is very dangerous, 
especially on any kind of production machine.

On ports you want to filter based on IP address, let those be your keep 
state rules with a "from trusted.ip.address/32 port = blah" key in them.

> These patches are very dated, and are for a very old NetBSD release.
> Unfortunately it will take a lot of work to update them to work with
> the NetBSD-1.52 release.  :-(

Yes, that's correct. :( Too bad Vixie didn't get them committed before. 
Wonder why that was?

> I am very grateful for showing me the fastroute tip for ipf.  :-)
> Hopefully I can find a way to get it to co-exist with my existing
> firewall rulesets.
>
> If I come across any other solutions, I will let you know.

I'd be interested in anything you manage to get running for outgoing load 
balancing--even if it's as simple as a round-robin, but especially if you 
get any kind of specialized stuff going. I'm certain everyone else on the 
mailing lists would as well.

Marc