Answering several emails:

 > He should check his duplex settings on the LAN between FW and
 > cable modem.

The card is set to Autodetect, which I'm sure is what the cable modem uses.


 > Does the kernel print some message about NMBCLUSTERS (in
 > /var/log/messages, or dmesg) ? How much state entries to you
 > have in kernel when this happens (use ipnat -l and ipfstat -sl)?

It always happens.  However, I've seen ipnat -l list up to one or two 
hundred mappings or redirects at a time.  From what I've read, this 
should be well within the ability of the software to handle.



 > Now I'd be interested in seing his ifconfig setup too.

$ ifconfig ex0
ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
         enabled=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
         address: 00:50:04:83:e4:1d
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet 65.x.x.x netmask 0xfffffc00 broadcast 255.255.255.255



 > The obvious question: what happens if you disable ipfilter?
 > (Either through /etc/rc.d/ipfilter stop or by removing it from
 > the kernel.)

Ok, I'd like to try that.  But, how can I?  If I remove ipfilter, I will 
have no NAT.  No packets will make it back to my internal network.


thanks,
-d