This is a weird problem that took me a while to track down. First off I have 3 openbsd servers, 1 linux machine, and a couple of windows workstations on my network. My firewall running NAT is openbsd 3.5. It is doing NAT for the linux and windows computers. The other two openbsd servers are outside of the firewall each running pf. Now all of a sudden (it seemed this way) I could not maintain a session from a host behind the firewall to either of the two openbsd servers (all internet traffic was fine). What would happen if I tried to access my webserver (one of the two openbsd servers) is the page would start to load and only show about 1/3 of the page, then freeze. My other server (mail server) would not allow me to download my email via pop/imap but looking at tcpdump I was able to fully log into the server. I could ssh to the server and hit enter a few times but as soon as I did anything like "ps axu" it would freeze half way into the output.
Since I had not changed any of my pf.conf files in several months (server uptimes all were around 40-50 days) and I saw no signs of hacking (log files, mtree, etc) I was stumped. I tried moving my linux machine outside the firewall and I had the same problem accessing the servers. I tried rebooting all of my servers and even my switch with no change. Then I started looking at my pf.conf rules and removing several at a time and figured out that there was one rule that was causing the whole problem. Here is from one of my servers, the first "pass in" rule is the problem, as soon as I removed "keep state" there are no problems with anything and when I add "keep state" back in, the problems return. What does this mean? what can I do? I mean, I guess I don't NEED keep state, but I would like to use it if possible. The hardware is adequate: 350mhz AMD and p2 450, 128mb RAM and 128mb RAM for my web and mail servers respectively. ExtIf="dc0" Public="{ 80, 21, 22 }" scrub in all pass in log quick on $ExtIf inet proto tcp from any to any port $Public \ keep state #pass in log quick on $ExtIf inet proto tcp from any to any port $Public block in log all label "block in all" pass out log quick on $ExtIf inet proto tcp all modulate state pass out log quick on $ExtIf inet proto udp all keep state pass out log quick on $ExtIf inet proto icmp all keep state pass in log quick on $ExtIf inet proto icmp all keep state -- Public key http://www.krytosvirus.com/public.asc