"Loïc BLOT" <loic.b...@frostsapphirestudios.com> a écrit :
>Hello to OpenBSD users, > >i have a little problem, i think it's linked with PF, but i have no >proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with >different card, 5.1 uses bnx and 5.2 use em) >I have a router with squid proxy, named and isc-dhcpd. The problem is, >sometimes i get "no route to host" for some transmissions (often on the >proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit >fiber connection), and the routes are static and right. >When squid says no route to host and i refresh the page, it works. I >think it's a packet filter problem. Nmap has sometimes the same problem >and says no route to host when i try to scan. Example: > >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20, >16) => No route to host >Offending packet: TCP xxx.yyy.zzz.1:42282 > aaa.bbb.ccc.20:5200 S >ttl=37 >id=32702 iplen=44 seq=2453102157 win=2048 <mss 1460> >Sleeping 15 seconds then retrying > >This scan was realized in two differents networks, but in this capture, >this is the same networks > >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50, >16) => No route to host >Offending packet: TCP xxx.yyy.zzz.1:49053 > xxx.yyy.zzz.50:161 S ttl=52 >id=62248 iplen=44 seq=3073961720 win=1024 <mss 1460> >Sleeping 15 seconds then retrying > >if don't have the problem with pf disabled. > >All my outgoing packets are allowed and somes are nated. > >Where do you think the problem comes ? > >Thanks for Advance. > >Lo��c Blot, >UNIX systems engineer. Hello Loïc What does your ruleset look like ? Do.you have à.log of rejected packets (tcpdump on pflog 0)?
