Hi! > Packets which should have been allowed were being blocked by the > catch-all rules, eg. ssh replies: > > Nov 7 18:48:46 fw ipmon[111]: [ID 702911 local0.warning] 18:48:45.520290 le2 @0:15 >b y,22 -> x,44605 PR tcp len 20 44 -AS OUT > > The rule allowing x -> y port = 22 is: > > pass in quick proto tcp from x to y port = 22 flags S keep state group 200
Isnt it true that "flags S" means "S and ONLY S" i.e. packet with SA gets blocked? I've come to this conclusion with IPFilter 3.4.27, maybe earlier versions were different? -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * A woman's husband's previous wife is called her 'wife-in-law.'
