The man page defines this as "States can match packets on any interfaces." I understood this to mean that state created on one interface would automatically create state, or allow a related match, on another interface, but this is not the case. Simple example:
Host A 10.0.0.2 Firewall 10.0.0.1 (hvn0) 10.0.1.1 Host B 10.0.1.2 /etc/pf.conf from the firewall: block log pass in on hvn0 With the above, traffic cannot pass from A to B. With pf disabled on the firewall, traffic passes. I expected state to be created from the incoming packet, and a state entry is, but the state is never complete/established (left as CLOSED:SYN_SENT) and this does not work, obviously. So, what's the expanded definition of floating? And how does this compare to if-bound in the example above if it was applied to the pass rule? I've found related threads from the past, but I'm still confused and would appreciate a clue stick. Thanks.
