I Think I have another piece of information, As the ping is very small, I think there are too many packets going on at the same time. Therefore, the system to check the states might not receive the packets in the right order and therefore decide that certain packets arrived to early.
I hope it helps Regards Leo Alionis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio Goehrs Sent: jeudi 7 juin 2007 09:35 To: [email protected] Subject: Pf Issue with a large number of Packet Hi All, I am sorry to bother the list but I think I may have encountered a bug and I would like to share with you guys. I have been using OpenBSD to build Firewall for a long time in solution with VLAN + CARP. When computers in the protected network downloads a file in HTTP, everything works for the First 15 Mo then it stops. When I tcpdump, On the external address, I get the folowing: 08:34:19.343833 mirrors.club-internet.fr.www > so-bo01-std.55692: P 17637121:17638569(1448) ack 174 win 49232 <nop,nop,timestamp 3651037459 313698521> (DF) 08:34:19.343870 so-bo01-std.55692 > mirrors.club-internet.fr.www: . ack 17634225 win 1810 <nop,nop,timestamp 313698522 3651037459> (DF) 08:34:19.614303 mirrors.club-internet.fr.www > so-bo01-std.55692: P 20054337:20055785(1448) ack 174 win 49232 <nop,nop,timestamp 3651037487 313698589> (DF) 08:34:19.614326 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.024189 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037528 313698589> (DF) 08:34:20.024210 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.844464 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037610 313698589> (DF) 08:34:20.844485 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:22.485887 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037774 313698589> (DF) 08:34:22.485907 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:24.234738 so-bo01-std.55692 > mirrors.club-internet.fr.www: F 174:174(0) ack 20009449 win 1851 <nop,nop,timestamp 313699744 3651037482> (DF) 08:34:24.235872 mirrors.club-internet.fr.www > so-bo01-std.55692: . ack 175 win 49232 <nop,nop,timestamp 3651037949 313699744> (DF) On the internal interfaces, I see nothing related to the host unreachable, just a Reset after a while from the server. - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work - If I rate limit the download to 50 ko/s, then I still have unreachable but it able to recover, above and up to 100Mo, it would fail and the transfer stall. - If I create an empty rules file, then it works Here are the two rules: # Production Firewall vers le Second FireWall service_granted="{domain, ntp, smtp, snmp, http}" block out log on $if_interco all label "Protection vers le Back" pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any port $service_granted keep state label "Back Office vers l'Internet" Please advise Regarde Lio Alionis
