On Tue, 21 Dec 2004 19:05:52 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> 
> You didn't say if you were having any problems, but if not just ignore
> it.  The @0:17 means rule 17 in group 0 as shown in /status.php is
> what's dropping the traffic.  Knowing which rule that is might help us
> a little more.  My guess is it's retransmitted and/or last packets not
> hitting the state of the connection in process, as described in the
> ipfilter howto:
> 
> "Due to the often laggy nature of the Internet, sometimes packets will
> be regenerated. Sometimes, you'll get two copies of the same packet,
> and your state rule which keeps track of sequence numbers will have
> already seen this packet, so it will assume that the packet is part of
> a different connection. Eventually this packet will run into a real
> rule and have to be dealt with. You'll often see the last packet of a
> session being closed get logged because the keep state code has
> already torn down the connection before the last packet has had a
> chance to make it to your firewall. This is normal, do not be
> alarmed."
> 

Follow up for the sake of the archives (resolved offlist)

The rule that's dropping it is:
 @17 block in log quick proto tcp from any to any

Which means they are missing the state table, and are almost certainly
duplicate packets.

-Chris