This email from Darren Reed discusses a potential firewall security bug related to PF's state tracking code. The key points about the vulnerability are: State Binding Options: PF states can be bound to specific interfaces or a group of interfaces. This includes: - : State is tied to a specific interface. - : State is tied to a group of interfaces. - : State is not bound to a specific interface and is the default behavior. Potential Security Risk: The default state allows any packet with spoofed IP matching the state characteristics (source/destination IP, port for UDP/TCP, etc.) from any interface to pass through, even if the intended state was created for a specific interface. This could enable spoofed traffic, like IKE packets, to pass through firewalls on unintended interfaces. Design Flaw: The sender indicates this may represent a significant security flaw in PF's state tracking, which should ideally prevent spoofed packets from matching existing states on unrelated interfaces. Despite introducing a mechanism to address this ( / ), the default setting remains vulnerable. Risk Assessment: While the risk is considered low by some, the sender believes it is a fundamental design flaw that should not exist, underscoring the potential severity. Confirmation: The sender suggests the documented PF behavior (version 3.3) confirms this analysis.