On Wed, Mar 29, 2006 at 01:07:10PM +0100, Ian Chard wrote: > Can someone please help me track this down?
Looks like you don't create state on the initial TCP SYN packet, but on a subsequent packet (like, the SYN+ACK flowing in the reverse direction). That's usually a mistake in the ruleset and not intentional. When a state is created from anything but the initial SYN, pf can't honour TCP window scaling negotiated between the peers during the handshake, and it will eventually block data segments that violate the unscaled window. Make sure that all your 'pass keep state' rules which can possibly apply to TCP packets also use 'flags S/SA' (so they only apply to initial SYNs), and that you block other TCP packets by default. If that's not the problem, post a complete tcpdump -nvvvSXp log from all involved interfaces for one particular connection that failed, together with the BAD state message resulting from it. Daniel
