Here is even more information about my problem.
My only LAN rule is to accept all traffic coming in on the LAN interface.
I added an additional rule to log all packets that had a SSH port as
destination port. Now the log looks like this when I try to SSH to
14:08:00.260010 dc0 @100:2 p 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 60 -S K-S K-F IN
14:08:00.260053 dc0 @100:2 p 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 60 -S K-S K-F OUT
14:08:00.260095 dc0 @-1:-1 p 192.168.1.200 -> 192.168.1.201 PR icmp len 20
56 icmp redirect/host for 192.168.1.201,43411 - 172.16.1.1,22 PR tcp len
20 60 K-S K-F OUT
14:10:02.614321 dc0 @0:68 b 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 52 -AF IN
This is consistent with what happens in the earlier description I gave.
First the SYN packet goes to the m0n0wall which is forwarded to the router
at 192.168.1.254. After that an ICMP redirect is sent to my host from the
m0n0wall to tell it the best direct route. When my host later tries to
send SSH packets to 172.16.1.1 through the m0n0wall the packets are
The new firewall rule that logs the first three packets is:
@2 pass in log quick proto tcp from any to any port = 22 keep state group 100
But for some reason this rule does not match the last packet logged since
it is dropped.