>
> Is there one OpenBSD BGP router or more, and is PF running there too?
> (Basically check with tcpdump on various interfaces along the way that
> the packets you expect to receive from the TLS server/s you're
> connecting to aren't being dropped somewhere - if there are paths
> to/from "the internet" going via multiple stateful firewalls you
> can have problems with asymmetric traffic if you're not careful).
Currently only one (this is an edge node for something, there are plans to add
a second router soon, but has not happened yet).
PF is running on the OpenBSD router, but a very small and basic ruleset just to
keep undesirables away from the localhost SSH and BGPD, the rest of the traffic
is sent straight through (i.e. PF is running default "pass no state" instead of
default drop).
Not that asymmetric traffic is the problem here, but if it were, surely I would
be seeing broader problems, not just this relatively small and confined one ?
I will try some more experiments with tcpdump later.
