Why is PF rejecting these connections?

[Dave Horsfall]

I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g. those 
claiming to be ACKs for non-existent connections etc, but I'm seeing some 
weirdness in the logs.  Now, I sort of inherited the configuration and 
don't fully understand each directive, but if it works for someone I 
trust, well...

Anyway, here are some sample log entries:

     23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     [...]
     23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>

Etc; the common theme appears to be those options whose purpose I don't 
quite grok, but are presumably legal in this context.

The relevant lines from my pf.conf seem to be:

     set block-policy drop
     set loginterface egress
     #set ruleset-optimization basic
     scrub in
     block all
     pass out quick all keep state
     antispoof log quick for $ext_if inet
     [ Sundry pass/block rules ]

So, why is PF complaining about those packets?  The finer points of TCP 
options notwithstanding, they seem OK to me...  Remember: I inherited most 
of the configuration file, so I don't necessarily understand it.

Thanks.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."