Hi,
I'm using OpenBSD 4.4 as a firewall running pf.
When running a program (darcs) to sync to
a revision control repository there are
repeated http requests made. I find that
after an indeterminate number, typically
50 to 250 such requests, the program
aborts with connection refused.
I did a tcpdump of both the inside (sis0)
interface and outside (sis1) interface and found
that the final tcp/http request consists
of a single SYN packet that is received
on the internal interface but not sent
out the external interface. The firewall
is sending an ICMP unreachable to the client.
pfctl -s info shows that state-insert
increases by 1 every time I have the
problem. The number of states is only
about 400 to 600, far below the 10,000
limit. vmstat 1 seems to show free memory
the whole time.
netstat -s shows an increase of 1 in
"packets not forwardable". And of course
there's an increase of 1 in both
"calls to icmp_error" and "destination unreachable".
Setting pfctl -x to misc or loud leaves
nothing in the log. (I once messed with
the log, so it's remotely possible I've broken
something here. But I don't think so.)
How can I find out more about what's going on?
If there's congestion on the outbound wire
shouldn't the SYN just be dropped so the
sending TCP stack (Linux/libcurl) can retry?
FWIW, I had queueing in my pf.conf but removed
it and there was no difference either way.
I can make the tcpdumps available to anyone
who wants them. I'll post them somewhere public if
anybody asks. (~700K each, gzipped)
I would prefer to send my pf.conf privately.
If this is not a pf issue please let me know
and I'll try the OpenBSD misc list.
Thanks.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
