Re: "No route to host"

Tue, 27 Nov 2012 04:33:34 -0800 

Look for states of pf
the default is 10000
if the maximum is reached
pf will block

# systat pf

If needed increase this



2012/11/27 Laurent Caron (Mobile) <lca...@unix-scripts.info>

> "Loïc BLOT" <loic.b...@frostsapphirestudios.com> a écrit :
>
> >Hello to OpenBSD users,
> >
> >i have a little problem, i think it's linked with PF, but i have no
> >proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with
> >different card, 5.1 uses bnx and 5.2 use em)
> >I have a router with squid proxy, named and isc-dhcpd. The problem is,
> >sometimes i get "no route to host" for some transmissions (often on the
> >proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit
> >fiber connection), and the routes are static and right.
> >When squid says no route to host and i refresh the page, it works. I
> >think it's a packet filter problem. Nmap has sometimes the same problem
> >and says no route to host when i try to scan. Example:
> >
> >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET
> >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20,
> >16) => No route to host
> >Offending packet: TCP xxx.yyy.zzz.1:42282 > aaa.bbb.ccc.20:5200 S
> >ttl=37
> >id=32702 iplen=44  seq=2453102157 win=2048 <mss 1460>
> >Sleeping 15 seconds then retrying
> >
> >This scan was realized in two differents networks, but in this capture,
> >this is the same networks
> >
> >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET
> >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50,
> >16) => No route to host
> >Offending packet: TCP xxx.yyy.zzz.1:49053 > xxx.yyy.zzz.50:161 S ttl=52
> >id=62248 iplen=44  seq=3073961720 win=1024 <mss 1460>
> >Sleeping 15 seconds then retrying
> >
> >if don't have the problem with pf disabled.
> >
> >All my outgoing packets are allowed and somes are nated.
> >
> >Where do you think the problem comes ?
> >
> >Thanks for Advance.
> >
> >Lo��c Blot,
> >UNIX systems engineer.
>
> Hello Loïc
>
> What does your ruleset look like ?
>
> Do.you have à.log of rejected packets (tcpdump on pflog 0)?

Reply via email to