On 2014-01-16, Chris Smith <obsd_m...@chrissmith.org> wrote: > This issue is still with me. Sporadically the connection will fail, > and a connection attempt immediately after the failure will (so far) > always work. Again the problem is only with this one remote firewall, > all of the others are fine. the hardware is virtually identical, > similar versions of the Supermicro 5015A boxes. Also note that said > problem box was used in another location with an older version of > OpenBSD without said issues.
This could be an MTU or RWIN-related issue. One common problem is if the firewall state is created from an already-established connection rather than a SYN packet, in this case the firewall can't keep track of the RWIN value which is set by many modern OS, and needed in order for a stateful firewall to track the conection To avoid the risk of this I usually start pf rulesets with "block log" (*not* 'block in log', etc) just to make sure that no packets are passed by the implicit default rule (which is basically "pass all flags any no state") which takes effect if no other rules match. Posting the firewall ruleset may possibly help people diagnose this in more detail.
