keep state and mac address

Does anyone know if the mac address is used in the keep state part of a tcp connection?

I have a rule on a Solaris 10 box using ipfilter 4.0.2 (comes with sol10) that looks like this:

block in log all
block out log all
pass in quick on hme0 log proto tcp from any to MYIP port = 22 keep state

That's it. I can connect from one host on the network but not from another. When I watch ipmon from the good host I see a keep state entry being created. From the other host I do not. I instead see the pass on the K-S rule for the S packet, but the SA packet is being blocked by the block out entry. ipfilter did not establish an entry in the state table.

The only difference I can see between the two hosts is when watching snoop. From the good host, I see the SRC mac address of the gateway router/switch. But when I snoop the bad host, I see a mac address that I have not yet found on my network. (I don't run the network gear so this will take time) So I get a packet with a SRC MAC not of the default gateway.

The state table has 5 entries in it (not full), I've flushed and restarted many times, ipstat -io shows just the 3 rules, and nothing else seems unusual.

Anyone know if the mac address matters or have other ideas to check?

Thanks!

Jim


__________________________________________________ ________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp