On Thu, Mar 31, 2005 at 02:12:12PM +0100, Bob wrote: > [EMAIL PROTECTED] wrote: > > Why are the following packets being blocked? I know that I have flags > > S/SA modulate state, and that F or FP do not match S/SA, but does that > > matter since its in state? > > If I remember correctly, S/SA means "only accept flags where out of S > and A, only S is set". I.e. that pattern is only checking the S and A > flags, and couldn't care less about F or P. > > However, in the packets that seem blocked, the S flag is not set, so > those packets will not pass the rule you have to allow stuff out of > $ext_if, and the last rule to match will be rule 0/0, which you have set > to "block log-all all". > > You should find out what is creating the packets you see, and determine > why they are not setting the S flag. > > Once a session has begun, the return packet, and all further reply > packets for that session, should be automatically allowed in/out because > you have turned on stateful inspection for outgoing packets. So the > packets you see blocked are likely the first packets with the > destination and source address that you see in the log. Why they don't > have the S flag set, I'm not sure. > -- > Bob >
The mail server is postfix. Basically, S/SA is for initiating the connection, and after its added to the state, it shouldn't matter what flags are passed. You are thinking these packets with F and FP are initial packets for a new connection? I am not so sure about that.
