Hi All, I am sorry to bother the list but I think I may have encountered a bug and I would like to share with you guys. I have been using OpenBSD to build Firewall for a long time in solution with VLAN + CARP. When computers in the protected network downloads a file in HTTP, everything works for the First 15 Mo then it stops.
When I tcpdump, On the external address, I get the folowing: 08:34:19.343833 mirrors.club-internet.fr.www > so-bo01-std.55692: P 17637121:17638569(1448) ack 174 win 49232 <nop,nop,timestamp 3651037459 313698521> (DF) 08:34:19.343870 so-bo01-std.55692 > mirrors.club-internet.fr.www: . ack 17634225 win 1810 <nop,nop,timestamp 313698522 3651037459> (DF) 08:34:19.614303 mirrors.club-internet.fr.www > so-bo01-std.55692: P 20054337:20055785(1448) ack 174 win 49232 <nop,nop,timestamp 3651037487 313698589> (DF) 08:34:19.614326 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.024189 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037528 313698589> (DF) 08:34:20.024210 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.844464 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037610 313698589> (DF) 08:34:20.844485 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:22.485887 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037774 313698589> (DF) 08:34:22.485907 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:24.234738 so-bo01-std.55692 > mirrors.club-internet.fr.www: F 174:174(0) ack 20009449 win 1851 <nop,nop,timestamp 313699744 3651037482> (DF) 08:34:24.235872 mirrors.club-internet.fr.www > so-bo01-std.55692: . ack 175 win 49232 <nop,nop,timestamp 3651037949 313699744> (DF) On the internal interfaces, I see nothing related to the host unreachable, just a Reset after a while from the server. - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work - If I rate limit the download to 50 ko/s, then I still have unreachable but it able to recover, above and up to 100Mo, it would fail and the transfer stall. - If I create an empty rules file, then it works Here are the two rules: # Production Firewall vers le Second FireWall service_granted="{domain, ntp, smtp, snmp, http}" block out log on $if_interco all label "Protection vers le Back" pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any port $service_granted keep state label "Back Office vers l'Internet" Please advise Regarde Lio Alionis