Re: What is wrong?


IMHO, everything is OK. Two rules required.
Rules describing packets for DIFFERENT interfaces.
This statefull inspection NOT to have to know about reverse traffic.
The first rule allow traffic from eth04 to eth03 interfaces WITH DEFINED STATE (new or established), but traffic from eth03 to eth04 is undefined at all. May be, there are no reverse packets to initiating port on eth04, but there is a traffic to new port – aka RELATED. Statefull inspection works with such state definitions only.
Are your xKerio-user? It’s true, many ms-windows firewalls do that – only one direction of traffic must be defined, but there are TWO hidden rules inside.

Sorry for my English, I hope, main of my post is clear 😳