>> if you can post dmesg and some relevant 'pass' rules, that might help.
Sure, So far, I have started my test and I have far less problems now but I
don't think the solution is fine. As of Version 4.1, the rule keep state flags
S/SA is by default.
All my problems went away when I used the following rules:
pass out on $if_prod proto tcp from any to <so_prod_ad> port {http, https} no
state flags any label "Internet vers la prod AD"
pass in on $if_prod proto tcp from <so_prod_ad> port {http, https} to any no
state flags any label "Reply From AD to the Internet"
If go on keep state, then, when I launch a download at 25 Mo/s, then it
downloads about 35 Mo then stops and my log get full of
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51872
193.189.125.227:51872 77.72.91.10:80 [lo=936647122 high=936652914 win=5840
modulator=0] [lo=2657626173 high=2657632013 win=5792 modulator=0] 4:2 SA
seq=2660626928 (2660626928) ack=936647122 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51876
193.189.125.227:51876 77.72.91.10:80 [lo=941137405 high=941143197 win=5840
modulator=0] [lo=2659274591 high=2659280431 win=5792 modulator=0] 4:2 SA
seq=2662275452 (2662275452) ack=941137405 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51880
193.189.125.227:51880 77.72.91.10:80 [lo=941037484 high=941043276 win=5840
modulator=0] [lo=2663170100 high=2663175940 win=5792 modulator=0] 4:2 SA
seq=2666170841 (2666170841) ack=941037484 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
>From my understanding, State failure on: 1 means the sequence number was too
much ahead, based on the RFC. But, Today, with adaptive TCP Windows, we can
have so many packets going thru at the same time.
Leo
