Pavel Cahyna wrote:

>>so, clearly, the reply packets are being blocked by the outgoing "keep 
>>state" rule, and sure enough, when I comment that rule out, I can ping 
>>my machine from outside again.  Strangely enough, pinging from _inside_ 
>>works whether or not the rule is in place.  (as I expect it should)
>>
>>My question is:  this obviously changed between ipf 4.1.1 and 4.1.3 (at 
>>least as realized in 2.0_BETA/RC1, though I chatted with someone on IRC 
>>who is having a similar issue).  Is this the way it's supposed to work, 
>>or is something actually broken?  (I suspect the latter)
>>    
>>
>
>See PR 26856: pass in ... keep state actually block some packets, 
>this is exactly the same problem. Please append the information that
>it was introduced between ipf 4.1.1 and 4.1.3 to this PR. I suspected
>it, but wasn't sure.
>
>Bye	Pavel
>  
>
I have sent the pertinent info to gnats-bugs for appending to 
kern/26856.  Thanks!

+j

-- 
Jeff Rizzo                                    http://www.boogers.sf.ca.us/~riz/