Thanks for all of the info! spurious_inode, thanks for the mailing list, I'm now signed up... looks like a good one. I liked the idea of being able to, uh, (no prettier way to say this) counter-attack with returns, but it *does* use bandwidth, little as it may be--so I'll probably just drop external incoming. I've considered problemchild's model before; dropping the denied incoming data from the web, and sending proper returns on the LAN side. Whatever I end up doing, I know I'll probably just drop incoming external pings anyway. There's not many feelings like that of knowing your machine won't even respond to an echo :-) I don't want to use security through obscurity, its just that even an ICMP echo return can give out which general type of OS you're using--the ping returns aren't all identical between OSs IIRC.

I'm specifically dropping all tcp incoming that doesn't match my redirect on 80 w/ flags S/SAFRUP. This is supposed to block the nmap FUP, SAFRUP (xmas scan), /SAFRUP (null xmas scan), and SF floods, since they're not explicitly allowed. Enough of my rambling... on to some more pf how-to's for me! Thanks again!