On Tue, Nov 18, 2003 at 01:13:11PM +0000, Mark Nelson wrote:
> On Tue, 18 Nov 2003, Julian Coleman wrote:
> 
> To be honest I don't think my machine is set up to bridge, what I have is
> 3 interfaces -
> 
> ex0 - connection to the net
> ex1 - connection to the local lan
> ex2 - connection to the DMZ

Are you doing any NAT on the same machine? I presume it must be
happening somewhere if ex0 is to the internet.  Please provide this
config as well, as it might be part of the problem.

> What I would expect to happen is for the packet from the remote machine
> (144.32.60.78) to arrive on interface ex0 and be passed out on ex2 to the
> machine connected to that switch.  The machine that is running ssh is
> trying to connect to a destination port on the remote machine (ip address

No, it's replying to the original request, but for some reason not
obeying the keep state (or not matching it).

> is stopping it happening.  I assumed that because I had a keep state on
> the original rule
> 
> pass out quick on ex0 proto tcp from any to 217.119.6.226 port = ssh flags
> S/SA keep state

As recommended earlier, add "log first" to this rule, and also
monitor ipstate transitions with either ipmon or ipfstat -t

> that any connections back to the remote machine would be passed as this is
> I assumed would be an established connection, or have I got confused on
> how the keep state directive works.

No, this part is correct, but you might have a problem elsewhere
in your rulebase so you're not using what you think you're using.

--
Dan.