On Sat, 22 Mar 2014 08:48:40 -0600 Brett Glass wrote: > This is correct. And that's awkward, because you might not want all of > these checks in one place. Also, if there are many dynamic rules this > will slow traffic down quite a bit. It should be the other way around. Once a flow has been learned it's just a simple hash-table lookup once you hit the first stateful rule. In pf most packets bypass the rules altogether. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"