See earlier posting dated 05 march 2004,
heading: "BM37 SP3 compromises stateful filtering".

I have also seen other threads on this forum from other users experiencing
the same problem, so I am not alone...
See i.e posting from Dmitry E. Rovkin dated 22 jan. 2004.
I have been mailing with him, and we have both found the same solution:

Adding static reply-filters fixes the problem.

It seems as if the NW6SP4 compromises the stateful filter function in the firewall.
At first I thought it was the BM37SP3 that made the problems, but it's not.
Rollback to BM37SP2 does not help, because it's the core OS NLM's
that becomes erroneous after NW6SP4 (filtsrv.nlm, ipflt.nlm, ipflt31.nlm).

The problem may relate to the IPFLT module, which no longer handles properly
either the dynamic port handling for the reply thru stateful filters, or the
Ack Bit Filtering function itself.
Either way, stateful filters no longer work,
and static filters must be configured for the reply thru stateful filters!

My scenario is NW 6.0 SP4 / BM 3.7 SP3, but I know that the same problem
also applies to NW 6.5 / BM 3.8.
NW 6.0 SP3 / BM 3.7 SP2 works OK though.

I judge this to be a rather serious bug, which requires an immediate
handling from Novell.
I have heard that there is a new BM37 beta SP on the way, including new
FILTSRV.NLM and IPFLT*.NLM. I hope this will be available very soon,
because safety is far from optimal as it is now, with general dynamic reply
filters in effect - without Ack Bit Filtering...

So - what happens?
Can Novell live with this?