> Stateful inspection on gateway can hamper tcp-connections, when > inbound or outbound packets goes another route (i.e. when one of > directions not goes thru gateway).
well, yeah. How is a firewall supposed to deduce state if it doesn't see any replies? psychic deduction? > > Connection works fine on low rate, but fast transfers stops on > each 64K (because suddenly PF stops passing packets). > > I guess, it is not bug, just some feature (like some > tcp-window-related state protection). So think, is there reasons to > correct this PF behavior. Correct? If you can design a prescient packet filter, then more power to you. -kj
