Hi, I have just upgraded a OpenBSD 4.7 firewall to 5.2. The system routes between $net1 and $net2 with pf enabled. After the upgrade ping request from $net1 to $net2 get stuck (and vice versa). Only the first icmp echo-req from $net1 to $net2 get answered by a icmp echo-reply, all subsequent icmp echo-req are seen on the $net1 interface of the firewall but no log message in pflog0 or on the $net2 interface.
I use the no state flag for the rules, because the default gateway is not this system. pass out pass in log on $net1_if inet from $net1 to $net2 no state pass in log on $net2_if inet from $net2 to $net1 no state I have solved the problem with dedicated ICMP rules after the rules above. pass in log on $net1_if proto icmp from $net1 to $net2 pass in log on $net2_if proto icmp from $net2 to $net3 Why is only the first ping ok with no state flag set at the pass rule? Thanks, Patrick
