Hi, > On Fri, Apr 08, 2005 at 12:20:06PM +0100, [EMAIL PROTECTED] wrote: > > > # SMTP > pass in quick proto tcp from any to 128.40.182.5/32 port = > 25 flags S > keep state keep frags > > If you're using ipfil 4 or higher, you can use log-first in the above > rule. You'll then probably find out that the ack/fin you are seeing is > a retransmission of the end of a valid tcp session, where the > accompanying state entry already timed out on your ipf host and the > other end of the connection somehow hasn't seen the ACK you sent.
Thanks, I will give that a try. I forgot to give versions in my first email: Solaris 8 pfil 2.1.6 ipfilter 4.1.8 -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ All sweeping generalisations are false.
