Hi, I confirm this bug. I've experienced the same icmp errors with three different firewalls using 4.4 and nat.
If I add the static-port option to the nat rule then no icmp errors are experienced, so it's something to do with the nap port relocation. Bye S. Imre Oolberg-3 wrote: > > Hallo again! > > When i access internet from behind nat'ting OpenBSD 4.4-current i386 > platform firewall (20090121 snapshot, under Xen HVM quest if this test > then qualifies) i get randomly icmp host unreachable messages. At the > same time network traffic is low and this test firewall is not under any > mentionable load. For example about five to ten icmp error messages > appear from firewall to wget client when issuing 300 wgets i a raw, like > this > > $ for i in `seq 1 300`; do wget "http://172.16.0.12/README?count=$i"; -O > - 1>dhs.$i.log; done > > # tcpdump -nttti ne3 icmp > tcpdump: listening on ne3, link-type EN10MB > Jan 25 15:21:04.986368 192.168.10.210 > 192.168.10.10: icmp: host > x.x.x.x unreachable > Jan 25 15:21:06.444112 192.168.10.210 > 192.168.10.10: icmp: host > x.x.x.x unreachable > ... > > And insterting one second delay between wgets reduces icmp errors a lot. > > I belive it has something to do with a firewall's natting because with > plain routing it seems to work all right. > > I would be very greateful if somebody could comment on this. > -- View this message in context: http://www.nabble.com/getting-random-icmp-host-unreachable-messages-from-firewall-tp21651701p21765424.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
