> Roberto wrote:
>
>> 1) is your firewall working and you see sometimes this messages;
>
> Only sometimes, most of the time it's working just fine.
>
> Martti
>

OK I've asked it because of the following: some months ago, (actually on
netbsd 162 and bundled ipf ???) I've  setup a ipf firewall and I was using
stateful rules. The firewall block incoming connection to the LAN, but not
the incoming connection to the Web server in the DMZ.

All went OK during the tests I made, and I passed it in production.
Then after a couple of day I started to see blocked packet that according
to the rules ( _stateful_ rules ) should pass through it! (specifically I
see blocked packet coming from internet to the local web server)

At first I think at a bug in my configuration or the software, but after a
small search in internet / test I discovered that the state machine of ipf
may in some circustance block packet that it doesn't recognize as valid
(for example a bad sequence number that does not fit in the current
window).

If you want I can give you more details on it, but now I'm leaving ...
maybe later ...

Kind regards
Roberto

e-mail roberto.trovo [at] redix.it