On Fri, Apr 08, 2005 at 12:20:06PM +0100, [EMAIL PROTECTED] wrote: > > # SMTP > pass in quick proto tcp from any to 128.40.182.5/32 port = 25 flags S > keep state keep frags
If you're using ipfil 4 or higher, you can use log-first in the above rule. You'll then probably find out that the ack/fin you are seeing is a retransmission of the end of a valid tcp session, where the accompanying state entry already timed out on your ipf host and the other end of the connection somehow hasn't seen the ACK you sent. -Guido
