On Mon, Nov 17, 2003 at 04:24:44PM +0000, Mark Nelson wrote:
> 
> I have a ipf based firewall, I have the rule -
> 
> pass in quick on ex0 proto tcp from any to 10.119.6.226 port = ssh
> flags S/SA keep state
> 
> ex0 is my external interface,
> 
> However when I try to connect to the machine the connection is blocked
> and I get the following line in the firewall log.
> 
> 17/11/2003 15:44:18.943806 ex2 @0:19 b 10.169.6.226,22 ->
> 10.32.160.78,34502 PR tcp len 20 552 -A IN

  Are you sure the rule cited above is actually taking effect, in the
sense that the initial packet is passed by that rule and causing a
state-table entry to be created?  If another rule is passing the packet,
the state-table entry won't be created, and the packets associated with
the connection will have to fend for themselves in the nest of rules.

  Try running ipfstat -t on the gateway box while you attempt an incoming
connection.  You'll see immediately whether a state-table entry is created
or not.  Also, as someone else suggested, enabling logging on that rule
should tell you whether it's actually being used.