Hi, I'm using OpenBSD 4.4 as a firewall running pf.
When running a program (darcs) to sync to a revision control repository there are repeated http requests made. I find that after an indeterminate number, typically 50 to 250 such requests, the program aborts with connection refused. I did a tcpdump of both the inside (sis0) interface and outside (sis1) interface and found that the final tcp/http request consists of a single SYN packet that is received on the internal interface but not sent out the external interface. The firewall is sending an ICMP unreachable to the client. pfctl -s info shows that state-insert increases by 1 every time I have the problem. The number of states is only about 400 to 600, far below the 10,000 limit. vmstat 1 seems to show free memory the whole time. netstat -s shows an increase of 1 in "packets not forwardable". And of course there's an increase of 1 in both "calls to icmp_error" and "destination unreachable". Setting pfctl -x to misc or loud leaves nothing in the log. (I once messed with the log, so it's remotely possible I've broken something here. But I don't think so.) How can I find out more about what's going on? If there's congestion on the outbound wire shouldn't the SYN just be dropped so the sending TCP stack (Linux/libcurl) can retry? FWIW, I had queueing in my pf.conf but removed it and there was no difference either way. I can make the tcpdumps available to anyone who wants them. I'll post them somewhere public if anybody asks. (~700K each, gzipped) I would prefer to send my pf.conf privately. If this is not a pf issue please let me know and I'll try the OpenBSD misc list. Thanks. Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein