I want some more detail in specifying network rules (not application rules)
Giving me (for instance) the option of
Allow tcp from any to any dst port any, state ESTABLISHED
and
Allow tcp from me to any dst port any, state SETUP
or allow udp from me to any dst port any, keep-state
etc.
Keeping track of state would increase the memory overhead, but would leave to certain rules being controlled in the network part, instead of in the application part, thus keeping the cpu overhead minimal.
//Svein