it belongs to tech-net actually...

>Another chapter in this continuing IPF saga.  My current /etc/ipf.conf,
>which is attached at the end of this e-mail, works great.  It provides
>protection against bad packets, and connections to my gateways/firewall
>are restricted to only those ports and protocols I allow.  In addition,
>those on the inside (lan) of the gateway, can freely access the Internet
>via the gateway, without any restrictions.
>
>However, with this IPF configuration, there is an extra 30-60 sec delay
>when establishing an SMPT client connection, from inside the firewall,
>to an outside sendmail server on a NetBSD 1.4.1 machine.  This delay does
>not apply to other type of tcp/udp connections, including ftp (passive)
>and pop connections.  This delay only appears with SMPT, and this delay
>goes away when I remove the last section of rulesets from my ipf.conf
>configuration.

	I think you should run tcpdump(8) to check the exact source.
	Here are few candidates that may affect the story:
	- ident protocol (113/tcp)
	- DNS - like 53/tcp data transfer on large-volume data, reverse lookup
	  request from the outside (you seem to allow only single direction?)

itojun