Very sensible ;o)

Group 100 head refers to dc0 interface. (Correct me if I'm wrong Michael).
As you can see from the firewall log this is also the interface on which the block rule is in
effect.
So I don't see how it could fail a match against the head 100.

22:29:23.387117 dc0 @0:68 b 192.168.1.201,40452 -> 172.16.1.1,22 PR tcp len
20 64 -A IN

Michael: perhaps you could post the rule set with semi-spoofed addresses?
 - and again perhaps create a specific rule for the SSH-packets which were blocked - with logging
enabled.

/Martin

-----Original Message-----
From: Dinesh Nair [mailto:dinesh at alphaque dot com] 
Sent: 17. maj 2004 17:28
To: Martin Holst
Cc: christian at nyegaard dot net; m0n0wall at lists dot m0n0 dot ch; Michael Østergaard Pedersen
Subject: RE: [m0n0wall] Possible bug: LAN redirection via static route


On Mon, 17 May 2004, Martin Holst wrote:

> Only the first SYN-packets are passed via rule @2 - all other are
> apparently blocked by @68.

since @2 is a group 100, and only packets failing the head 100 rule would
drop into @2, it would perhaps be more informative if you posted the
entire ruleset which is causing this to happen.

--dinesh



Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=========================================================================+