on to something different...


pf has this wonderfull tcp connection tracker
looks at the tcp flags to forward the pf state's state as needed
and verifies the tcp sequence numbers against the window

it cannot work when your machine only sees half of the connection
as in, traffic from A to B goes through your firewall, but the traffic from B to A takes another route
problem: pf doesn't see the window size announcements

implemented a "sloppy" tracker, does the bare minimum
looking at the tcp flags, nothing else