James Seymour:
> > > -AR means the ACK and RST flags are set.
> > > My question is why is your firewall blocking outbound ACK|RST?
> >
> > I'm using basically "canned" rulesets in my ipfilter setup. That is
> > the default deny at the end of bge1's output filters.
> >
> > I must've messed-up, somewhere. I'll take a look in the morning.
> [snip]
>
> Looking at it with fresh eyes, fortified by a cup of coffee :), if I
> messed-up, I'll be darned if I can see where. The firewall rules
> related to this couldn't be more straight-forward:
>
> .
> pass out quick on bge1 proto tcp from any to any port = 25 keep state
> .
> block out log first quick on bge1 all
>
> That's it.
There are two stateful engines: the TCP stack and ipfilter.
With "keep state", ipfilter "remembers" the connection and lets
packets pass, up to the point that ipfilter believes the connection
no longer exists.
The TCP stack sends an outbound ACK|RST because it received *something*
on port 25. Your firewall should not have passed that. Perhaps you
don't have "flags S keep state" for inbound port 25 traffic.
Wietse
