A follow up on my own email with more information. The problem is still just as weird. I know that in 99% of the cases it is a user error but now I'm starting to wonder if this is not a problem in OpenBSD.
If I do a "telnet xxx.13.199.159 443" from yyy.5.11.201 I can see the following things in the firewall.
I'm snooping on interface rl0 which is the incoming interface with an ip address of yyy.5.11.200.
09:40:35.349399 yyy.5.11.201.31734 > xxx.13.199.159.443: S 2152123108:2152123108(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 531435206 0> (DF) [tos 0x10]
09:40:41.340969 yyy.5.11.201.31734 > xxx.13.199.159.443: S 2152123108:2152123108(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 531435218 0> (DF) [tos 0x10]
09:40:41.485209 xxx.13.199.159.443 > yyy.5.11.201.31734: S 47156859:47156859(0) ack 2152123109 win 5792 <mss 1460,sackOK,timestamp 154596103 531435218,nop,wscale 0> (DF)
09:40:41.488033 yyy.5.11.201.31734 > xxx.13.199.159.443: . ack 1 win 17376 <nop,nop,timestamp 531435219 154596103> (DF) [tos 0x10]
On the outgoing interface (rl2) I can see the following traffic
09:40:41.341020 zzz.253.135.162.61404 > xxx.13.199.159.443: S 2152123108:2152123108(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 531435218 0> (DF) [tos 0x10]
09:40:41.485179 xxx.13.199.159.443 > zzz.253.135.162.61404: S 47156859:47156859(0) ack 2152123109 win 5792 <mss 1460,sackOK,timestamp 154596103 531435218,nop,wscale 0> (DF)
09:40:41.488057 zzz.253.135.162.61404 > xxx.13.199.159.443: . ack 1 win 17376 <nop,nop,timestamp 531435219 154596103> (DF) [tos 0x10]
If I snoop on pflog0 I can see the following
09:40:35.349429 rule 18/0(match): pass in on rl0: yyy.5.11.201.31734 > xxx.13.199.159.443: S 2152123108:2152123108(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> (DF) [tos 0x10]
09:40:35.349478 rule 2/0(match): pass out on rl0: zzz.253.135.162.61404 > xxx.13.199.159.443: S 2152123108:2152123108(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> (DF) [tos 0x10]
The first SYN packet arrives on rl0 and it is matched by a rule that looks like this:
pass in log quick on rl0 inet from yyy.5.11.201 to any keep state
It also has a NAT rule for that interface that looks like
nat on rl0 from yyy.5.11.201 to any -> rl2
The second packet is then matched by the following rule
pass out log quick on rl0 route-to (rl2 zzz.253.135.161) inet from zzz.253.135.162 to any keep state
The problem is that the first SYN packet never makes it out on rl2. The same goes for ICMP traffic and UDP traffic. The first packet is always lost. But pf sees it and creates a state for it and also sends it out but it never arrives on the rl2 interface.
Is there any good way for me to debug this except for what I'm already doing?
Thanks, Nickus
