>Thank you - that seems to have fixed the problem . Or worked around it, >depending on whether it's a feature or a bug that misordered packets are >rejected by IP Filter - surely, since they're a legitimate/expected part of >normal TCP operation they should be allowed through if associated with an >established stateful connection ...?
In this event, the errant packat is called a 'fragment' in ipf terminology to allow fragmented packets, add a "keep frags" clause to your rules along with the "keep state" see: http://www.obfuscation.org/ipf/ipf-howto.html#TOC_23
