hmmm, are you using "return-*" with "out" rules or just "in" rules ?
I'm trying to replicate this problem, but so far, there's no evidence of leaking packets with just these rules: # ipfstat -hio empty list for ipfilter(out) 2599757 block return-icmp in proto icmp from any to any 270980 block return-rst in proto tcp from any to any port 9000 >< 9999 If you could monitor this problem by doing: vmstat -m netstat -m ipfstat ...say every half hour, that would be good. Cheers, Darren
