Does anyone here use IPF with the TCP state option?  This set of rules
works most of the time.  Every once in a while the state generated at
"out @2" seems to fail.  I'm assuming its a timing issue is some sort.
Anyone else seeing this?

I'm seeing intermittent spurious blockings as follows:

    May 25 06:44:30 capsicum ipmon[118]: 06:44:30.141093 de0 @0:4 b
    ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,64808
    PR tcp len 20 552 -A

# de0 outside iface - de1 inside iface

@1 pass in quick on de1 from any to any
@2 block in on de0 from any to any
@3 block return-icmp(host-unr) in log on de0 from any to 24.1.65.208/32
@4 block return-rst in log proto tcp from any to 24.1.65.208/32
@5 pass in from any to 224.0.0.0/4
@6 pass in proto icmp from any to 24.1.65.208/32
@7 pass in proto tcp from any to 24.1.65.208/32 port = 22
@8 pass in proto tcp from any to 24.1.65.208/32 port = 23
... [ rest of the TCP/UDP pass rules snipped -wsr  ]
@27 block in log quick proto tcp from any to any with short
@28 block return-icmp(port-unr) in log quick on de0 from 127.0.0.0/8 to any

@1 pass out quick on de1 from any to any
@2 pass out on de0 proto tcp from any to any flags S/FSRA keep state
@3 pass out on de0 proto udp from any to any port = 53 keep state
@4 pass out log quick on de0 to de1:140.174.88.2 from 140.174.88.1/32 to any
@5 pass out log quick on de0 to de1:140.174.88.2 from 140.174.88.14/32 to any


-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html