On Mon, 12 Dec 2011 08:24:38 -0500 (EST) Wietse Venema <wie...@porcupine.org> wrote:
[snip] > > There are two stateful engines: the TCP stack and ipfilter. *nodding* > > With "keep state", ipfilter "remembers" the connection and lets > packets pass, up to the point that ipfilter believes the connection > no longer exists. Understood. > > The TCP stack sends an outbound ACK|RST because it received > *something* on port 25. Your firewall should not have passed that. Should not have passed it *incoming*, do you mean? > Perhaps you don't have "flags S keep state" for inbound port 25 > traffic. I do: # SMTP to gateway pass in quick on bge1 proto tcp from any to any port = 25 flags S keep state (The stuff all says "any" because there are only two devices in the DMZ: The border router's "inside" interface and the firewall's "outside" one. It's a true DMZ.) Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
