Ups, there you go when not testing your last optimization, it is required that a fw rule number is allocated for partial connections so the fix is just: in libalias/alias_db.c in PunchFWHole add the following after the initial packetAliasMode test: ClearFWHole(link); /FK