Take a "step back" and ever disable PF or put "pass keep state" (e.g. simple rules) and see if you can reproduce this problem.
//mxb On 14 jan 2013, at 21:38, Атанас Владимиров <don.na...@gmail.com> wrote: > Hi, > Today I upgraded to 11.01.2013 snapshot and I'm still get the same error. > I have permanent static for my default route. > > [ns]~$ sudo /usr/sbin/arp -Ff /etc/ether.mac > > [ns]~$ cat /etc/ether.mac > XX.XX.XX.33 00:50:45:5f:16:58 permanent > > [ns]~$ arp -a > gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 permanent static > > After a while: > [ns]~$ arp -a > gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 > > the permanent static arp disappear. > > /var/log/messages: > Jan 14 20:46:47 ns /bsd: arpresolve: XX.XX.7.33: route without link local > address > Jan 14 20:51:47 ns last message repeated 42 times > > /var/log/daemon: > Jan 14 20:46:47 ns dhclient[2970]: DHCPREQUEST on em0 to XX.XX.7.1 port 67 > Jan 14 20:46:47 ns dhclient[2970]: DHCPACK from XX.XX.7.33 > (00:50:45:5f:16:58) > Jan 14 20:46:47 ns dhclient[2970]: bound to XX.XX.7.48 -- renewal in 300 > seconds. > > Here is my pf.conf > > [ns]~$ sudo cat /etc/pf.conf > > > ################ Macros > ####################################################### > > ### Interfaces ### > ExtIf ="em0" > IntIf ="vlan41" > Free ="vlan81" > pppx ="192.168.3.0/25" > lo0 ="127.0.0.1" > > ### Hosts ### > vl="192.168.1.2" > jl="192.168.1.3" > ve="192.168.1.4" > ntp="192.168.1.5" > sam="192.168.1.14" > dpc11="192.168.1.11" > > ### Ports ### > low_ports = "0:1024" > hi_ports = "1025:65535" > web = "{20, 21, 22, 25, 80, 443, 3389, 5900, 6000, 7777, 8080}" > ssh_extif = "2222" > rdc = "3389" > rdc_extif = "4900" > squid = "8080" > squid_extif = "443" > vl_skype = "30001" > jl_skype = "30002" > ve_skype = "30003" > vl_torrent= "30004" > jl_torrent= "30005" > ve_torrent= "30006" > vl_hfs = "8081" > ftp_proxy = "8021" > symux = "2100" > ftp = "21" > vnc_ext = "59001" > vnc_int = "5900" > sftp = "22222" > l2tp = "{ 500, 1701, 4500 }" > trace = "33434:33498" > ### Queues, States and Types ### > IcmpType ="icmp-type 8 code 0" > SynState ="flags S/SAFR synproxy state" > > ### Tables ### > table <bgnets> file "/etc/bgnets" > table <spamd-white> persist > table <proxy-users> persist { 188.254.185.154, 212.50.72.29, > 85.217.136.0/21, \ > 95.111.100.14, 212.233.176.65, 78.128.124.161, 190.32.172.28 } > ## panama > table <isp> persist { 94.26.7.32/27 } > table <BLOCK> persist { 82.119.88.70 } > > ################ Options > ###################################################### > ### Misc Options > set block-policy drop > set loginterface $ExtIf > set skip on lo0 > set optimization aggressive > # set state-defaults pflow > > ################ Queueing > #################################################### > > altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER } > queue INTER bandwidth 3% hfsc (upperlimit 2950Kb) \ > { i_ack, i_dns, i_ntp, i_web, i_bulk, i_bittor } > queue i_ack bandwidth 30% priority 8 qlimit 500 hfsc (realtime > 30%) > queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime > 10%) > queue i_ntp bandwidth 10% priority 6 qlimit 500 hfsc (realtime > 10%) > queue i_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime > 20%) > queue i_bulk bandwidth 19% priority 2 qlimit 500 hfsc (realtime > 15%) > queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (default, > upperlimit 60%) > > queue BG bandwidth 30% hfsc (upperlimit 30Mb) \ > { b_ack, b_dns, b_ntp, b_rdc, b_web, b_bulk, b_bittor } > queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime > 10%) > queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime > 1% ) > queue b_ntp bandwidth 10% priority 7 qlimit 500 hfsc (realtime > 1% ) > queue b_rdc bandwidth 10% priority 6 qlimit 500 hfsc (realtime > 10%) > queue b_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime > 30%) > queue b_bulk bandwidth 30% priority 4 qlimit 500 hfsc (realtime > 10%) > queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc > (upperlimit 85%) > > ################ Translation and Filtering > ################################### > > ### BLOCK all in/out on all interfaces by default and log > block log on $ExtIf > block return log on $IntIf > block return log on $Free > block quick log on $ExtIf from <BLOCK> > > ### Network Address Translation (NAT with outgoing source port > randomization) > match out log on egress from (self) \ > to any nat-to ($ExtIf:0) port 1024:65535 > match out log on egress from !($ExtIf:0) \ > to any nat-to ($ExtIf:0) port 1024:65535 > > ### NAT from IntIf to FreeWifi > match out log on $Free from $IntIf:network \ > to $Free:network nat-to ($Free:0) port 1024:65535 > > ### Packet normalization ( "scrubbing" ) > match log on $ExtIf all scrub (random-id max-mss 1472) > > ### Ftp ( secure ftp proxy for LAN ) > anchor "ftp-proxy/*" > > ### pppx > pass log from $pppx > > ### $ExtIf inbound ################ > > # npppd > pass in log on $ExtIf proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $l2tp queue b_dns > > # Named ( bind dns ) > pass in log on $ExtIf inet proto udp from any \ > to ($ExtIf) port domain queue i_dns > pass in log on $ExtIf inet proto udp from <bgnets> \ > to ($ExtIf) port domain queue b_dns > > # OpenSSH > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port $ssh_extif queue b_bulk rdr-to $lo0 port ssh > > # SFTP to MAC OS X > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port $sftp queue b_bulk rdr-to $dpc11 port ssh > > # Postfix > pass in log on $ExtIf inet proto tcp from <spamd-white> \ > to ($ExtIf) port smtp queue i_bulk rdr-to lo0 > pass in log on $ExtIf inet proto tcp from !<spamd-white> \ > to ($ExtIf) port smtp rdr-to lo0 port spamd > > # Nginx > pass in log on $ExtIf inet proto tcp from any \ > to ($ExtIf) port www queue (i_web, i_ack) rdr-to $lo0 > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port www queue (b_web, b_ack) rdr-to $lo0 > > # Ntpd ( time server ) > pass in log on $ExtIf inet proto udp from any \ > to ($ExtIf) port ntp queue i_ntp #rdr-to $ntp > pass in log on $ExtIf inet proto udp from <bgnets> \ > to ($ExtIf) port ntp queue b_ntp #rdr-to $ntp > > # RDC_BG > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port $rdc_extif $SynState queue b_rdc rdr-to $vl port $rdc > > # VNC TO MAC OS X > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port $vnc_ext $SynState queue b_rdc rdr-to $dpc11 port $vnc_int > > # Squid > pass in log on $ExtIf inet proto tcp from <proxy-users> \ > to ($ExtIf) port $squid_extif $SynState queue b_bulk rdr-to $lo0 port > $squid > > # Skype (queue INTER) > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $vl_skype queue i_bulk rdr-to $vl > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $jl_skype queue i_bulk rdr-to $jl > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $ve_skype queue i_bulk rdr-to $ve > > # Skype (queue BG) > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $vl_skype queue b_bulk rdr-to $vl > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $jl_skype queue b_bulk rdr-to $jl > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $ve_skype queue b_bulk rdr-to $ve > > # uTorrent (queue INTER) > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $vl_torrent queue (i_bittor, i_ack) rdr-to $vl > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $jl_torrent queue (i_bittor, i_ack) rdr-to $jl > pass in log on $ExtIf inet proto {tcp, udp} from any \ > to ($ExtIf) port $ve_torrent queue (i_bittor, i_ack) rdr-to $ve > > # uTorrent (queue BG) > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $vl_torrent queue (b_bittor, b_ack) rdr-to $vl > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $jl_torrent queue (b_bittor, b_ack) rdr-to $jl > pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \ > to ($ExtIf) port $ve_torrent queue (b_bittor, b_ack) rdr-to $ve > > # HFS > pass in log on $ExtIf inet proto tcp from <bgnets> \ > to ($ExtIf) port $vl_hfs queue (b_web, b_ack) rdr-to $vl > > # Ping > pass in log on $ExtIf inet proto icmp from any \ > to ($ExtIf) $IcmpType > pass in log on $ExtIf inet proto icmp from <bgnets> \ > to ($ExtIf) $IcmpType queue b_bulk > > ### End $ExtIf inbound ########### > > ### $IntIf outbound ########### > > # ntp.bsdbg.net > pass out log on $IntIf inet proto udp from any \ > to $ntp port ntp > > # RDC > pass out log on $IntIf inet proto tcp from any \ > to $vl port $rdc > > # VNC TO MAC OS X > pass out log on $IntIf inet proto tcp from any \ > to $dpc11 port $vnc_int > > # SFTP to MAC OS X > pass out log on $IntIf inet proto tcp from any \ > to $dpc11 port ssh > > # Skype > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $vl port $vl_skype > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $jl port $jl_skype > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $ve port $ve_skype > > # uTorrent > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $vl port $vl_torrent > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $jl port $jl_torrent > pass out log on $IntIf inet proto {tcp, udp} from any \ > to $ve port $ve_torrent > > # HFS > pass out log on $IntIf inet proto tcp from <bgnets> \ > to $vl port $vl_hfs > > # Allow self to reach Lan > pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \ > to $IntIf:network > > ### End $IntIf outbound ### > > ### $Free outbound ### > # Allow self to reach FreeWifi > pass out log on $Free inet proto {tcp, udp, icmp} from (self) \ > to $Free:network > > ### End $Free outbound ### > > ### $Free inbound ### > # Allow FreeWifi to access port www and https > pass in log on $Free inet proto tcp from $Free:network \ > to !$IntIf:network port www > pass in log on $Free inet proto tcp from $Free:network \ > to !$IntIf:network port https > > # Local DNS access for FreeWifi > pass in log on $Free inet proto udp from $Free:network \ > to $Free port domain > > ### End $Free inbound ### > > ### $IntIf inbound ############### > > # Allow all out > pass in log on $IntIf inet proto {tcp, udp, icmp} from $IntIf:network \ > to any > > # Ftp-proxy > pass in log on $IntIf inet proto tcp from $IntIf:network \ > to !$IntIf port $ftp divert-to $lo0 port $ftp_proxy > > # Symux > pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \ > to $IntIf port $symux rdr-to $lo0 > > # Postfix > pass in log on $IntIf inet proto {tcp, udp} from $ntp \ > to $IntIf port smtp rdr-to $lo0 > > # Allow SamKnows to run it's tests > pass in log on $IntIf inet proto {tcp, udp, icmp} from $sam \ > to any tag SAM > > ### End $IntIf inbound ### > > ### $ExtIf outbound ### > > ## TCP ## > # Queue default (i_bittor & b_bittor ) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to any port $hi_ports queue (i_bittor, i_ack) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to <bgnets> port $hi_ports queue (b_bittor, b_ack) > > # Queue bulk (i_bulk $ b_bulk ) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to any port $low_ports queue (i_bulk, i_ack) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to <bgnets> port $low_ports queue (b_bulk, b_ack) > > # Queue web (i_web $ b_web ) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to any port $web queue (i_web, i_ack) > pass out log on $ExtIf inet proto tcp from ($ExtIf) \ > to <bgnets> port $web queue (b_web, b_ack) > > ## UDP ## > # Queue default (i_bittor & b_bittor) > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to any port $hi_ports queue i_bittor > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to <bgnets> port $hi_ports queue b_bittor > > # Queue bulk (i_bulk & b_bulk) > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to any port $low_ports queue i_bulk > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to <bgnets> port $low_ports queue b_bulk > > # Queue dns (i_dns & b_dns) > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to any port domain queue i_dns > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to <bgnets> port domain queue b_dns > > # Queue ntp (i_ntp & b_ntp) > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to any port ntp queue i_ntp > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to <bgnets> port ntp queue b_ntp > > # ICMP > pass out log on $ExtIf inet proto icmp from ($ExtIf) \ > to any $IcmpType queue i_web > pass out log on $ExtIf inet proto icmp from ($ExtIf) \ > to <bgnets> $IcmpType queue b_web > > # Traceroute > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to any port $trace queue i_ntp > pass out log on $ExtIf inet proto udp from ($ExtIf) \ > to <bgnets> port $trace queue b_ntp > > # SamKnows > pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \ > to any queue i_ack tagged SAM > pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \ > to <bgnets> queue b_ack tagged SAM > > ### End $ExtIf outbound ########### > > dmesg: > OpenBSD 5.2-current (GENERIC) #15: Fri Jan 11 14:04:04 MST 2013 > t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: AMD Athlon(TM) XP1600+ ("AuthenticAMD" 686-class, 256KB L2 cache) > 1.42 GHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MMXX,3DNOW2,3DNOW > real mem = 402112512 (383MB) > avail mem = 384557056 (366MB) > mainbus0 at root > bios0 at mainbus0: AT/286+ BIOS, date 03/03/03, BIOS32 rev. 0 @ 0xf0d00, > SMBIOS rev. 2.3 @ 0xf2bc0 (46 entries) > bios0: vendor Award Software, Inc. version "ASUS A7V266-C ACPI BIOS Rev > 1014" date 03/03/2003 > bios0: ASUSTeK Computer INC. A7V266-C > apm0 at bios0: Power Management spec V1.2 > acpi at bios0 function 0x0 not configured > pcibios0 at bios0: rev 2.1 @ 0xf0000/0x1572 > pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf14b0/192 (10 entries) > pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C586 ISA" rev 0x00) > pcibios0: PCI bus #1 is the last bus > bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xcc000/0x1000 > cpu0 at mainbus0: (uniprocessor) > pci0 at mainbus0 bus 0: configuration mode 1 (bios) > pchb0 at pci0 dev 0 function 0 "VIA VT8366 PCI" rev 0x00 > viaagp0 at pchb0: v2 > agp0 at viaagp0: aperture at 0xfe800000, size 0xe400000 > ppb0 at pci0 dev 1 function 0 "VIA VT8366 AGP" rev 0x00 > pci1 at ppb0 bus 1 > vga1 at pci0 dev 12 function 0 "S3 ViRGE DX/GX" rev 0x01 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > em0 at pci0 dev 13 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq > 11, address 00:07:e9:10:32:a8 > em1 at pci0 dev 15 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq > 10, address 00:07:e9:10:2a:20 > viapm0 at pci0 dev 17 function 0 "VIA VT8233A ISA" rev 0x00: SMI > iic0 at viapm0 > lm1 at iic0 addr 0x2d: AS99127F > viapm0: 24-bit timer at 3579545Hz > pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, > channel 0 configured to compatibility, channel 1 confi > gured to compatibility > wd0 at pciide0 channel 0 drive 0: <WDC WD800JB-00ETA0> > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 > pciide0: channel 1 disabled (no drives) > uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x23: irq 12 > uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x23: irq 12 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1 > usb1 at uhci1: USB revision 1.0 > uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1 > isa0 at mainbus0 > isadma0 at isa0 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com0: console > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > pckbc0 at isa0 port 0x60/5 > pckbd0 at pckbc0 (kbd slot) > pckbc0: using irq 1 for kbd slot > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 > mtrr: Pentium Pro MTRR support > vscsi0 at root > scsibus0 at vscsi0: 256 targets > softraid0 at root > scsibus1 at softraid0: 256 targets > root on wd0a swap on wd0b dump on wd0b