> One other point I needs some clarification on, in my searching around I did
This kind of thing has happened to me in the past; likely you're doing
something wrong with your state building in the first place so that
you're getting state built one direction one interface and checked on
a different one, or similar.
If you simplify your ruleset as a temporary test, you'll probably find
things magically work. If so you'll know it's not the Linux boxen or
firewall itself but your policy. Gradually add components back into
the ruleset and you'll likely narrow down where you've b0rked it.
> A couple of other points, I have tried various combinations of scrubing in my
Yeah, when I went through it scrub rules had nothing to do with it.
All state, period. (Note that in -current the default is now to
implicitly build rules with both 'keep state' and 'S/SA' without
having to specify; default stateful behavior makes these boo-boos less
likely.)
When I had the same problem, it was very erratic and seemed isolated
to a Linux box at first too. I don't know if there's something in the
TCP stack that reacts more adversely to this, but my fix in that case
was a refactoring of my state model. YMMV.
