Hi All, Well, I confirm that there is a problem, when the packets arrives to fast (about 25 000 pks/s), then it is likely that the packet does not arrive in the right order and then the system checking the validity of the number of the packet breaks and blocks legitimate traffic.
Regards Lio Goehrs -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio Goehrs Sent: jeudi 7 juin 2007 09:35 To: [email protected] Subject: Pf Issue with a large number of Packet Hi All, I am sorry to bother the list but I think I may have encountered a bug and I would like to share with you guys. I have been using OpenBSD to build Firewall for a long time in solution with VLAN + CARP. When computers in the protected network downloads a file in HTTP, everything works for the First 15 Mo then it stops. When I tcpdump, On the external address, I get the folowing: 08:34:19.343833 mirrors.club-internet.fr.www > so-bo01-std.55692: P 17637121:17638569(1448) ack 174 win 49232 <nop,nop,timestamp 3651037459 313698521> (DF) 08:34:19.343870 so-bo01-std.55692 > mirrors.club-internet.fr.www: . ack 17634225 win 1810 <nop,nop,timestamp 313698522 3651037459> (DF) 08:34:19.614303 mirrors.club-internet.fr.www > so-bo01-std.55692: P 20054337:20055785(1448) ack 174 win 49232 <nop,nop,timestamp 3651037487 313698589> (DF) 08:34:19.614326 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.024189 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037528 313698589> (DF) 08:34:20.024210 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.844464 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037610 313698589> (DF) 08:34:20.844485 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:22.485887 mirrors.club-internet.fr.www > so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037774 313698589> (DF) 08:34:22.485907 so-knox01a-std > mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:24.234738 so-bo01-std.55692 > mirrors.club-internet.fr.www: F 174:174(0) ack 20009449 win 1851 <nop,nop,timestamp 313699744 3651037482> (DF) 08:34:24.235872 mirrors.club-internet.fr.www > so-bo01-std.55692: . ack 175 win 49232 <nop,nop,timestamp 3651037949 313699744> (DF) On the internal interfaces, I see nothing related to the host unreachable, just a Reset after a while from the server. - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work - If I rate limit the download to 50 ko/s, then I still have unreachable but it able to recover, above and up to 100Mo, it would fail and the transfer stall. - If I create an empty rules file, then it works Here are the two rules: # Production Firewall vers le Second FireWall service_granted="{domain, ntp, smtp, snmp, http}" block out log on $if_interco all label "Protection vers le Back" pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any port $service_granted keep state label "Back Office vers l'Internet" Please advise Regarde Lio Alionis
