I think this may be related, or another 1.2.2 upgrade woe to add to your list:
I have 2 firewalls that were running 1.2, carped together with fw1 (master) syncing to fw2. Before upgrading fw1 to 1.2.2, I backed up the config files on both firewalls. I have verified that the rules section are identical on both firewalls. I upgraded fw1 to 1.2.2 and left fw2 at 1.2 just in case I ran into problems. I did (run into problems): I have an old mailserver outside the firewall relaying mail to new mailserver behind firewall. After the 1.2.2 upgrade, fw1 continues to relay okay, until someone sends a large-ish attachment that needs to be relayed between the two mailservers (xxx.xxx.51.1 is mailserver outside the firewall and yyy.yyy.209.2 is mailserver inside firewall). fw1 (1.2.2) reports: Jan 30 08:11:10 fw1/fw1 pf: 15. 670556 rule 1581/0(match): block in on em1: (tos 0x0, ttl 63, id 23650, offset 0, flags [none],proto TCP (6), length 1500) xxx.xxx.51.1.63475 > yyy.yyy.209.2.25: . 0:1460(1460) ack 1 win 49498 relevant fw1 rules: @264 pass in quick on em1 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label "USER_RULE: MTA" @265 pass in quick on carp11 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label "USER_RULE: MTA" ... @1581 block drop in log quick all label "Default deny rule" As soon as I shutdown fw1 and leave fw2 as master, I send the same email message again this time successfully. fw2 reports (I enabled rule logging on fw2): Jan 30 09:17:13 fw2/fw2 pf: 288961 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 41857, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33879 > yyy.yyy.209.2.25: S, cksum 0xc441 (correct), 951133206:951133206(0) win 49640 <mss 1460,nop,nop,sackOK> Jan 30 09:17:43 fw2/fw2 pf: 1. 324892 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 35233, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33890 > yyy.yyy.209.2.25: S, cksum 0x93fb (correct), 959337428:959337428(0) win 49640 <mss 1460,nop,nop,sackOK> fw2 rules: @255 pass in quick on em1 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label "USER_RULE: MTA" @256 pass in quick on carp11 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label "USER_RULE: MTA" I don't want to downgrade given that there are security fixes between 1.2 and 1.2.2. Your help always appreciated! -Julie