> On 21 Apr 2017, at 10:34, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2017-04-20, Sjöholm Per-Olov <p...@incedo.org> wrote: >> Could it be any buffers that is causing this in 6.1 but not in 6.0 ? > > There were changes that would allow larger TCP buffers in 6.1. This > would not have made a difference to normal or natted connections from > non-OpenBSD going through PF to non-OpenBSD but could possibly affect > some configurations with proxies (though only if PF rules were already > dodgy - you would have active states in "pfctl -ss|grep -A1 tcp" > without wscale values if this was the case). > > Might be worth bumping up the pf log level and seeing if system logs > give you more clues. Default is "error", you need "notice" to get the > ones which might give useful clues (loose state match warnings or > state mismatch errors). (On a busy machine, be ready to back-off on > the debug level in case it causes too much load). > >
Another addition… This is what the problem actually looks like ## 1 ## When the problem is ongoing…. Telnet from internet to DMZ server FAIL [sjoholmp@dewey ~]$ telnet mail.dyn.incedo.org 25 Trying 155.4.8.28... ^C ## 2 ## This looks like this Apr 21 14:06:28.751796 rule 573/(match) pass in on em3: 168.235.89.110.42126 > 192.168.1.12.25: S 2597688027:2597688027(0) win 29200 <mss 1460,sackOK,timestamp 668227520 0,nop,wscale 6> (DF) Apr 21 14:06:28.751824 rule 63/(match) block out on em3: 155.4.8.28.25 > 168.235.89.110.42126: R 0:0(0) ack 2597688028 win 0 (DF) ## 3 ## Reload PF root@xanadu:/var/log#pfctl -f /etc/pf.conf root@xanadu:/var/log# ## 4 ## Telnet from internet again WORKS [sjoholmp@dewey ~]$ telnet mail.dyn.incedo.org 25 Trying 155.4.8.28... Connected to mail.dyn.incedo.org. Escape character is '^]'. 220 mail.dyn.incedo.org ESMTP Sendmail; Fri, 21 Apr 2017 14:08:16 +0200 ## 5 ## Looks like this Apr 21 14:08:16.239213 rule 573/(match) pass in on em3: 168.235.89.110.42168 > 192.168.1.12.25: S 4285065753:4285065753(0) win 29200 <mss 1460,sackOK,timestamp 668335004 0,nop,wscale 6> (DF) Apr 21 14:08:16.239267 rule 89/(match) pass out on vlan3: 168.235.89.110.42168 > 192.168.1.12.25: S 4285065753:4285065753(0) win 29200 <mss 1460,sackOK,timestamp 668335004 0,nop,wscale 6> (DF) ## 6 ## After a few hours the same problem occurs again which requires a PF reload The dmesg extra output ater pfctl -x notice only shows.. pf: pf_map_addr: selected address 155.4.8.28 I have serious problems with 6.1. I will probably go back to 6.0. I will giveit to the end of this day and check what I can… Peo
