Hi Charles, [note: I'm not up on the -R or -AF flag details in IPF logs]
You could try with "flags S/SA" to enter the state entry just on the first SYN packet of any connection to/from your trusted hosts - S/SA being the most generous "start condition" combination, because it doesn't care about any FRUP flags; assuming TCP of course (just a thought, no guarantee it'll make a difference:) Also, check out "ipfstat" and "ipfstat -s" occasionally, to see how your state table is going (are you running hundreds+ of concurrent sessions, or perhaps thousands of non-concurrent adjacent short sessions like HTTP?) IIRC some (but I think earlier?) versions of IP Filter may have left old sessions in the state table too long, not clearing them out properly. That might result in some new states being lost. If you're problem is only under heavy traffic or after lots of traffic perhaps check the changelog for updates to the state code and see if any sound relevant? Rgds, Stuart. Stuart Remphrey RMIT ITS Infrastructure Services - Unix Systems Phone (03) 992 55 070 (or extension 55070)
