From owner-freebsd-pf@FreeBSD.ORG  Mon Jun 19 02:17:11 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7074116A479
	for <freebsd-pf@freebsd.org>; Mon, 19 Jun 2006 02:17:11 +0000 (UTC)
	(envelope-from rmaglasang@infoweapons.com)
Received: from ws2.infoweapons.com (ws2.infoweapons.com [58.71.34.134])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F004443D6A
	for <freebsd-pf@freebsd.org>; Mon, 19 Jun 2006 02:17:07 +0000 (GMT)
	(envelope-from rmaglasang@infoweapons.com)
Received: from [10.3.1.41] ([10.3.1.41] RDNS failed) by ws2.infoweapons.com
	over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); 
	Mon, 19 Jun 2006 10:17:02 +0800
Message-ID: <44960900.4000406@infoweapons.com>
Date: Mon, 19 Jun 2006 10:16:32 +0800
From: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com>
User-Agent: Thunderbird 1.5 (X11/20060613)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 19 Jun 2006 02:17:02.0298 (UTC)
	FILETIME=[73981BA0:01C69346]
Subject: outgoing LAN traffic always in "keep state"
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2006 02:17:11 -0000

I have a minimum PF setup that sits in between my internal network(lan)
and external network(wan). PF by design, bypasses ruleset evaluation(on
external interfaces) for incoming packets on external interface that 
corresponds
to an entry in the state table or a response to an internal generated 
packet.
I observe this for TCP, UDP and also ICMP packets. Even if the matching rule
in the internal interface do not have a "keep state", still the response 
packet
bypasses the ruleset evaluation. Is there a way (force) to allow response
packets to go thru ruleset evaluation? I just want to have full control of
the incoming packets on the external interface wether they are response to
a LAN traffic or not. I'll be implementing queueing soon and I think this
PF behavior will affect badly. Has anyone experienced this?

Thanks a lot.
- sho