[EMAIL PROTECTED] wrote: > Why are the following packets being blocked? I know that I have flags > S/SA modulate state, and that F or FP do not match S/SA, but does that > matter since its in state?
If I remember correctly, S/SA means "only accept flags where out of S and A, only S is set". I.e. that pattern is only checking the S and A flags, and couldn't care less about F or P. However, in the packets that seem blocked, the S flag is not set, so those packets will not pass the rule you have to allow stuff out of $ext_if, and the last rule to match will be rule 0/0, which you have set to "block log-all all". You should find out what is creating the packets you see, and determine why they are not setting the S flag. Once a session has begun, the return packet, and all further reply packets for that session, should be automatically allowed in/out because you have turned on stateful inspection for outgoing packets. So the packets you see blocked are likely the first packets with the destination and source address that you see in the log. Why they don't have the S flag set, I'm not sure. -- Bob
