On Tue, Aug 27, 2002 at 11:13:58AM -0400, Jason Houx wrote: > @24 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to > 192.168.1.182/32 port = ssh flags S/FSRA
Note that this rule only applies to the initial SYN packet of each connection, not SYN+ACK or any further packets (flags S/FSRA means that SYN must be set, and FIN, RST and ACK must be unset for the rule to match). Since you don't create state (there's no 'keep state' in that rule), any further packets are NOT passed by this rule. > Aug 27 10:22:51.793061 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: . ack 2336820352 win 33304 This is not an initial SYN packet, so rule 24 just does not apply. In general, you want to add 'keep state' to all 'pass' rules. Daniel
