Take a "step back" and ever disable PF or put "pass keep state" (e.g. simple
rules) and see if you can reproduce this problem.
//mxb
On 14 jan 2013, at 21:38, Атанас Владимиров <don.na...@gmail.com> wrote:
> Hi,
> Today I upgraded to 11.01.2013 snapshot and I'm still get the same error.
> I have permanent static for my default route.
>
> [ns]~$ sudo /usr/sbin/arp -Ff /etc/ether.mac
>
> [ns]~$ cat /etc/ether.mac
> XX.XX.XX.33 00:50:45:5f:16:58 permanent
>
> [ns]~$ arp -a
> gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 permanent static
>
> After a while:
> [ns]~$ arp -a
> gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0
>
> the permanent static arp disappear.
>
> /var/log/messages:
> Jan 14 20:46:47 ns /bsd: arpresolve: XX.XX.7.33: route without link local
> address
> Jan 14 20:51:47 ns last message repeated 42 times
>
> /var/log/daemon:
> Jan 14 20:46:47 ns dhclient[2970]: DHCPREQUEST on em0 to XX.XX.7.1 port 67
> Jan 14 20:46:47 ns dhclient[2970]: DHCPACK from XX.XX.7.33
> (00:50:45:5f:16:58)
> Jan 14 20:46:47 ns dhclient[2970]: bound to XX.XX.7.48 -- renewal in 300
> seconds.
>
> Here is my pf.conf
>
> [ns]~$ sudo cat /etc/pf.conf
>
>
> ################ Macros
> #######################################################
>
> ### Interfaces ###
> ExtIf ="em0"
> IntIf ="vlan41"
> Free ="vlan81"
> pppx ="192.168.3.0/25"
> lo0 ="127.0.0.1"
>
> ### Hosts ###
> vl="192.168.1.2"
> jl="192.168.1.3"
> ve="192.168.1.4"
> ntp="192.168.1.5"
> sam="192.168.1.14"
> dpc11="192.168.1.11"
>
> ### Ports ###
> low_ports = "0:1024"
> hi_ports = "1025:65535"
> web = "{20, 21, 22, 25, 80, 443, 3389, 5900, 6000, 7777, 8080}"
> ssh_extif = "2222"
> rdc = "3389"
> rdc_extif = "4900"
> squid = "8080"
> squid_extif = "443"
> vl_skype = "30001"
> jl_skype = "30002"
> ve_skype = "30003"
> vl_torrent= "30004"
> jl_torrent= "30005"
> ve_torrent= "30006"
> vl_hfs = "8081"
> ftp_proxy = "8021"
> symux = "2100"
> ftp = "21"
> vnc_ext = "59001"
> vnc_int = "5900"
> sftp = "22222"
> l2tp = "{ 500, 1701, 4500 }"
> trace = "33434:33498"
> ### Queues, States and Types ###
> IcmpType ="icmp-type 8 code 0"
> SynState ="flags S/SAFR synproxy state"
>
> ### Tables ###
> table <bgnets> file "/etc/bgnets"
> table <spamd-white> persist
> table <proxy-users> persist { 188.254.185.154, 212.50.72.29,
> 85.217.136.0/21, \
> 95.111.100.14, 212.233.176.65, 78.128.124.161, 190.32.172.28 }
> ## panama
> table <isp> persist { 94.26.7.32/27 }
> table <BLOCK> persist { 82.119.88.70 }
>
> ################ Options
> ######################################################
> ### Misc Options
> set block-policy drop
> set loginterface $ExtIf
> set skip on lo0
> set optimization aggressive
> # set state-defaults pflow
>
> ################ Queueing
> ####################################################
>
> altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER }
> queue INTER bandwidth 3% hfsc (upperlimit 2950Kb) \
> { i_ack, i_dns, i_ntp, i_web, i_bulk, i_bittor }
> queue i_ack bandwidth 30% priority 8 qlimit 500 hfsc (realtime
> 30%)
> queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime
> 10%)
> queue i_ntp bandwidth 10% priority 6 qlimit 500 hfsc (realtime
> 10%)
> queue i_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime
> 20%)
> queue i_bulk bandwidth 19% priority 2 qlimit 500 hfsc (realtime
> 15%)
> queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (default,
> upperlimit 60%)
>
> queue BG bandwidth 30% hfsc (upperlimit 30Mb) \
> { b_ack, b_dns, b_ntp, b_rdc, b_web, b_bulk, b_bittor }
> queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime
> 10%)
> queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime
> 1% )
> queue b_ntp bandwidth 10% priority 7 qlimit 500 hfsc (realtime
> 1% )
> queue b_rdc bandwidth 10% priority 6 qlimit 500 hfsc (realtime
> 10%)
> queue b_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime
> 30%)
> queue b_bulk bandwidth 30% priority 4 qlimit 500 hfsc (realtime
> 10%)
> queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc
> (upperlimit 85%)
>
> ################ Translation and Filtering
> ###################################
>
> ### BLOCK all in/out on all interfaces by default and log
> block log on $ExtIf
> block return log on $IntIf
> block return log on $Free
> block quick log on $ExtIf from <BLOCK>
>
> ### Network Address Translation (NAT with outgoing source port
> randomization)
> match out log on egress from (self) \
> to any nat-to ($ExtIf:0) port 1024:65535
> match out log on egress from !($ExtIf:0) \
> to any nat-to ($ExtIf:0) port 1024:65535
>
> ### NAT from IntIf to FreeWifi
> match out log on $Free from $IntIf:network \
> to $Free:network nat-to ($Free:0) port 1024:65535
>
> ### Packet normalization ( "scrubbing" )
> match log on $ExtIf all scrub (random-id max-mss 1472)
>
> ### Ftp ( secure ftp proxy for LAN )
> anchor "ftp-proxy/*"
>
> ### pppx
> pass log from $pppx
>
> ### $ExtIf inbound ################
>
> # npppd
> pass in log on $ExtIf proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $l2tp queue b_dns
>
> # Named ( bind dns )
> pass in log on $ExtIf inet proto udp from any \
> to ($ExtIf) port domain queue i_dns
> pass in log on $ExtIf inet proto udp from <bgnets> \
> to ($ExtIf) port domain queue b_dns
>
> # OpenSSH
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $ssh_extif queue b_bulk rdr-to $lo0 port ssh
>
> # SFTP to MAC OS X
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $sftp queue b_bulk rdr-to $dpc11 port ssh
>
> # Postfix
> pass in log on $ExtIf inet proto tcp from <spamd-white> \
> to ($ExtIf) port smtp queue i_bulk rdr-to lo0
> pass in log on $ExtIf inet proto tcp from !<spamd-white> \
> to ($ExtIf) port smtp rdr-to lo0 port spamd
>
> # Nginx
> pass in log on $ExtIf inet proto tcp from any \
> to ($ExtIf) port www queue (i_web, i_ack) rdr-to $lo0
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port www queue (b_web, b_ack) rdr-to $lo0
>
> # Ntpd ( time server )
> pass in log on $ExtIf inet proto udp from any \
> to ($ExtIf) port ntp queue i_ntp #rdr-to $ntp
> pass in log on $ExtIf inet proto udp from <bgnets> \
> to ($ExtIf) port ntp queue b_ntp #rdr-to $ntp
>
> # RDC_BG
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $rdc_extif $SynState queue b_rdc rdr-to $vl port $rdc
>
> # VNC TO MAC OS X
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $vnc_ext $SynState queue b_rdc rdr-to $dpc11 port $vnc_int
>
> # Squid
> pass in log on $ExtIf inet proto tcp from <proxy-users> \
> to ($ExtIf) port $squid_extif $SynState queue b_bulk rdr-to $lo0 port
> $squid
>
> # Skype (queue INTER)
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $vl_skype queue i_bulk rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $jl_skype queue i_bulk rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $ve_skype queue i_bulk rdr-to $ve
>
> # Skype (queue BG)
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $vl_skype queue b_bulk rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $jl_skype queue b_bulk rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $ve_skype queue b_bulk rdr-to $ve
>
> # uTorrent (queue INTER)
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $vl_torrent queue (i_bittor, i_ack) rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $jl_torrent queue (i_bittor, i_ack) rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $ve_torrent queue (i_bittor, i_ack) rdr-to $ve
>
> # uTorrent (queue BG)
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $vl_torrent queue (b_bittor, b_ack) rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $jl_torrent queue (b_bittor, b_ack) rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $ve_torrent queue (b_bittor, b_ack) rdr-to $ve
>
> # HFS
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $vl_hfs queue (b_web, b_ack) rdr-to $vl
>
> # Ping
> pass in log on $ExtIf inet proto icmp from any \
> to ($ExtIf) $IcmpType
> pass in log on $ExtIf inet proto icmp from <bgnets> \
> to ($ExtIf) $IcmpType queue b_bulk
>
> ### End $ExtIf inbound ###########
>
> ### $IntIf outbound ###########
>
> # ntp.bsdbg.net
> pass out log on $IntIf inet proto udp from any \
> to $ntp port ntp
>
> # RDC
> pass out log on $IntIf inet proto tcp from any \
> to $vl port $rdc
>
> # VNC TO MAC OS X
> pass out log on $IntIf inet proto tcp from any \
> to $dpc11 port $vnc_int
>
> # SFTP to MAC OS X
> pass out log on $IntIf inet proto tcp from any \
> to $dpc11 port ssh
>
> # Skype
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $vl port $vl_skype
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $jl port $jl_skype
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $ve port $ve_skype
>
> # uTorrent
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $vl port $vl_torrent
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $jl port $jl_torrent
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $ve port $ve_torrent
>
> # HFS
> pass out log on $IntIf inet proto tcp from <bgnets> \
> to $vl port $vl_hfs
>
> # Allow self to reach Lan
> pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
> to $IntIf:network
>
> ### End $IntIf outbound ###
>
> ### $Free outbound ###
> # Allow self to reach FreeWifi
> pass out log on $Free inet proto {tcp, udp, icmp} from (self) \
> to $Free:network
>
> ### End $Free outbound ###
>
> ### $Free inbound ###
> # Allow FreeWifi to access port www and https
> pass in log on $Free inet proto tcp from $Free:network \
> to !$IntIf:network port www
> pass in log on $Free inet proto tcp from $Free:network \
> to !$IntIf:network port https
>
> # Local DNS access for FreeWifi
> pass in log on $Free inet proto udp from $Free:network \
> to $Free port domain
>
> ### End $Free inbound ###
>
> ### $IntIf inbound ###############
>
> # Allow all out
> pass in log on $IntIf inet proto {tcp, udp, icmp} from $IntIf:network \
> to any
>
> # Ftp-proxy
> pass in log on $IntIf inet proto tcp from $IntIf:network \
> to !$IntIf port $ftp divert-to $lo0 port $ftp_proxy
>
> # Symux
> pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
> to $IntIf port $symux rdr-to $lo0
>
> # Postfix
> pass in log on $IntIf inet proto {tcp, udp} from $ntp \
> to $IntIf port smtp rdr-to $lo0
>
> # Allow SamKnows to run it's tests
> pass in log on $IntIf inet proto {tcp, udp, icmp} from $sam \
> to any tag SAM
>
> ### End $IntIf inbound ###
>
> ### $ExtIf outbound ###
>
> ## TCP ##
> # Queue default (i_bittor & b_bittor )
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any port $hi_ports queue (i_bittor, i_ack)
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> port $hi_ports queue (b_bittor, b_ack)
>
> # Queue bulk (i_bulk $ b_bulk )
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any port $low_ports queue (i_bulk, i_ack)
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> port $low_ports queue (b_bulk, b_ack)
>
> # Queue web (i_web $ b_web )
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any port $web queue (i_web, i_ack)
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> port $web queue (b_web, b_ack)
>
> ## UDP ##
> # Queue default (i_bittor & b_bittor)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port $hi_ports queue i_bittor
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port $hi_ports queue b_bittor
>
> # Queue bulk (i_bulk & b_bulk)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port $low_ports queue i_bulk
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port $low_ports queue b_bulk
>
> # Queue dns (i_dns & b_dns)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port domain queue i_dns
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port domain queue b_dns
>
> # Queue ntp (i_ntp & b_ntp)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port ntp queue i_ntp
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port ntp queue b_ntp
>
> # ICMP
> pass out log on $ExtIf inet proto icmp from ($ExtIf) \
> to any $IcmpType queue i_web
> pass out log on $ExtIf inet proto icmp from ($ExtIf) \
> to <bgnets> $IcmpType queue b_web
>
> # Traceroute
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port $trace queue i_ntp
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port $trace queue b_ntp
>
> # SamKnows
> pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
> to any queue i_ack tagged SAM
> pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
> to <bgnets> queue b_ack tagged SAM
>
> ### End $ExtIf outbound ###########
>
> dmesg:
> OpenBSD 5.2-current (GENERIC) #15: Fri Jan 11 14:04:04 MST 2013
> t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: AMD Athlon(TM) XP1600+ ("AuthenticAMD" 686-class, 256KB L2 cache)
> 1.42 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MMXX,3DNOW2,3DNOW
> real mem = 402112512 (383MB)
> avail mem = 384557056 (366MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 03/03/03, BIOS32 rev. 0 @ 0xf0d00,
> SMBIOS rev. 2.3 @ 0xf2bc0 (46 entries)
> bios0: vendor Award Software, Inc. version "ASUS A7V266-C ACPI BIOS Rev
> 1014" date 03/03/2003
> bios0: ASUSTeK Computer INC. A7V266-C
> apm0 at bios0: Power Management spec V1.2
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xf0000/0x1572
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf14b0/192 (10 entries)
> pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C586 ISA" rev 0x00)
> pcibios0: PCI bus #1 is the last bus
> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xcc000/0x1000
> cpu0 at mainbus0: (uniprocessor)
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "VIA VT8366 PCI" rev 0x00
> viaagp0 at pchb0: v2
> agp0 at viaagp0: aperture at 0xfe800000, size 0xe400000
> ppb0 at pci0 dev 1 function 0 "VIA VT8366 AGP" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci0 dev 12 function 0 "S3 ViRGE DX/GX" rev 0x01
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> em0 at pci0 dev 13 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq
> 11, address 00:07:e9:10:32:a8
> em1 at pci0 dev 15 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq
> 10, address 00:07:e9:10:2a:20
> viapm0 at pci0 dev 17 function 0 "VIA VT8233A ISA" rev 0x00: SMI
> iic0 at viapm0
> lm1 at iic0 addr 0x2d: AS99127F
> viapm0: 24-bit timer at 3579545Hz
> pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
> channel 0 configured to compatibility, channel 1 confi
> gured to compatibility
> wd0 at pciide0 channel 0 drive 0: <WDC WD800JB-00ETA0>
> wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> pciide0: channel 1 disabled (no drives)
> uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x23: irq 12
> uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x23: irq 12
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> usb1 at uhci1: USB revision 1.0
> uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at mainbus0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> mtrr: Pentium Pro MTRR support
> vscsi0 at root
> scsibus0 at vscsi0: 256 targets
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on wd0a swap on wd0b dump on wd0b
