# ipfstat -io
pass out on ipdptp0 proto tcp/udp from 216.41.37.11/32 to any keep state
pass out on ipdptp0 proto icmp from 216.41.37.11/32 to any keep state
block in log quick on ipdptp0 proto icmp from any to 216.41.37.11/32
block in log quick from any to any with ipopt
block in log quick proto tcp from any to any with short
block in on ipdptp0 from any to any
pass in on ipdptp0 proto tcp from 208.218.130.0/27 to 216.41.37.11/32 port = 25
flags S/FSRPAU keep state keep frags
pass in on ipdptp0 proto tcp from any to 216.41.37.11/32 port > 32767 flags
S/FSRPAU keep state keep frags head 100
block in from 0.0.0.0/8 to any group 100
block in from 10.0.0.0/8 to any group 100
block in from 127.0.0.0/8 to any group 100
block in from 169.154.0.0/16 to any group 100
block in from 172.16.0.0/12 to any group 100
block in from 192.0.2.0/24 to any group 100
block in from 192.168.0.0/16 to any group 100
block in from 216.41.37.11/32 to any group 100
block in from 224.0.0.0/3 to any group 100
http://coombs.anu.edu.au/~avalon/ipfil-flow.html
From this diagram, it appears that packet filter rules to operate on
outbound packets before NAT and inbound packets after NAT.
As your firewall is set to default pass, the outbound packets didn't
match any of your rules but were passed without maintaining any
state information and the inbound packets wouldn't have an existing
entry to match.
I would add a rule which would pass outbound packets from your
internal system to any.
When snooping for the traffic on the outside, was the outbound
traffic properly NAT'ed?
Additionally, the lack of active sessions or host mappings from
ipnat -slv seems odd.
-Mike
