IPFilter contains a flaw that may allow a remote attacker to bypass the ruleset. The issue is due to the presence of overlapping rules that relate to "return-rst" and "keep state". These two rules create a race condition that may allow an attacker to send the right sequence of packets to win, allowing them to bypass the filter rules completely.
Upgrade to version 3.3.16, 3.4.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.