Help Requested re: traffic "INs and OUTs" of Firewall vs.MailServer

[OpenMac]

hi all,

in tweaking my ipfw rules i've turned on logging for just about all traffic ...

... and have noticed a mail transaction that has me confused a bit.

The log entries of interest are as follows:


        (1) Oct  8 17:38:50  gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 in via en1
        (2) Oct  8 17:54:26  gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 out via en2

where:
        aa.bb.cc.dd is some machine out on the internet
        10.0.0.6 is my internal (nat'd) mail server.
        en1 is my external facing ethernet interface on my gateway
        en2 is my internal facing ethernet interface on my gateway


The first log entry (1) is clear to me:

        External server aa.bb.cc.dd is attempting to send me email.


My question is in reagrds to (2):

        Why are packets being sent *FROM* an EXTERNAL machine sending packets OUT *TO* an INTERNAL machine?

IN from External, or OUT from Internal, as in (1) I can understand, but (2) has me suspicious/confused ....


At first, I thought that the communication in (1) triggers/initiates the communication in (2).

To test, I thought that if I DENY ALL access to/from aa.bb.cc.dd via en1 -- I'd expect that (1) would DENY, and since
traffic would never get to 10.0.0.6, there would be no (2) triggered/logged.

However, after DENY ALL as above, I get in my log:

        (1) Oct  8 17:38:50  gateway mach_kernel: ipfw: 3799 Deny TCP aa.bb.cc.dd:21895 10.0.0.6:25 in via en1
        (2) Oct  8 17:54:26  gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 out via en2

So, it seems to me that (2) is being externally triggered?!  Hence my confusion & my question ...

Any suggestions as to what's going on here, and what I'm misunderstanding?

Thanks!