> Does anyone here use IPF with the TCP state option?  This set of rules
> works most of the time.  Every once in a while the state generated at
> "out @2" seems to fail.  I'm assuming its a timing issue is some sort.
> Anyone else seeing this?

Yes.  The scenario I have seen goes something like this:

    connection is alive with a window of 2048 bytes and expected
    next TCP sequence number N

    a data packet (TCP sequence number N, payload length 1400 bytes)
    gets delayed or dropped in the network

    the next data packet arrives (TCP sequence number N+1400, payload
    length 1400 bytes)

       - ipf permits this packet to go through to the TCP layer
       - ipf now believes that the next expected TCP sequence
	 number is N+2800 and the window is 2048.

    a delayed or retransmitted copy of the lost packet arrives (TCP
    sequence number N, payload length 1400 bytes)

	- ipf would be willing to accept TCP sequence numbers between
	  (N+2800-2048) and (N+2800+2048), but this packet fails the
	  test, so ipf blocks this packet.

    more copies of the blocked packet keep arriving, because the
    sender thinks they are being lost in the network.

	- ipf keeps on blocking them.

--apb (Alan Barrett)