Eric Behr came up with a workaround that fixes things for me with minimal fuss. I am trying to keep things stateful insofar as it is possible. His solution was after the keep state rule to have another rule to pick up the OOW packets using an option I didn't know even existed, the "with oow" option.
e.g. stateful first: pass in quick proto tcp from X.Y.Z.0/24 to any flags S keep state keep frags pass out proto tcp from any to any flags S keep state keep frags Then the hack for my OOW from problem child: pass in quick proto tcp from X.Y.Z.248/32 to any port = A with oow pass out quick proto tcp from any port = A to X.Y.Z.248/32 with oow I would prefer a more elegant solution, but this works fine.
