so I noticed today, several attempts to access port 80 (www) via tcp that
were blocked with IPF.  What I'm not sure of is if this was a hack attempt
or not.  They came in quick bursts off and on for a few hours.  An example
of the type of packets is:

len 20 40 -A
len 20 40 -A
len 20 503 -AP
len 20 40 -R
len 20 40 -R
len 20 40 -R
len 20 40 -A
len 20 503 -AP
len 20 40 -A

is this normal to not see any packets with the SYN flag? I was blocking
everything to that port on that machine so I'd have seen S as well if it
were set.

Thanks

-Dan