> I added the second line because I would watch the pf device using > tcpdump and see a small number of packets blocked that were coming from > the web server on port 80 or port 443 to an outside machine. My > understanding of pf is that the "keep state" condition on the incoming > traffic rule should allow reply packets through. One poster on > deadly.org simply suggested increasing timeouts, which could well > address this issue.
Solaris or HP/UX web servers? Their TCP stack sometimes send the infamous spurious ACK|FIN's long after the connection closes. The default PF state code tries to account for some of those but I have seen the ACK|FIN arrive many minutes after the state was deleted. You could add a rule to drop those in the proverbial bit bucket: block in quick on $ext_if all flags AF/AF .mike
