-----BEGIN PGP SIGNED MESSAGE-----


My firewall is multihomed. Both because it has two uplinks on which packets
can be received, and because I have a number of tunnels on which routing
may determine how things go.

A limitation of ipf is that the state for the TCP session is strongly
attached to a single interface. If I could tell IPF that "ex0, tlp0, gif309
and gif310 are equivalent" for state and rule info, I'd be happy. (maybe this
is already there and I'm too stupid).

I'm wondering if PF provides this kind of thing at all?

If neither do, and it would be hard to add, then I may consider splitting my
firewall and border router so that my firewall sees only a single upstream
link.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPi33KoqHRg3pndX9AQFY/gQA2VUfbrMx1CdJhXJi2MVCZEXT/DbvUenT
3HHzLFdhPWP0L7uyA/+bKlUbOhFItNhJfHlN3oFYwlzusF01VjP3MSLcEJU6OV+3
buCiiLgBb3WAB0129yDrGTs7IQGk8ZjdjOlV5AJo34uvsvneH2s2KxuRxS/xVBQJ
cfNoCLI8sM8=
=IaNG
-----END PGP SIGNATURE-----