PF suddenly malfunctioned

Mon Jul 23 10:05:29 UTC 2012

If you can reliably reproduce the problem with en.wikipedia.org, I
suggest the following:

On the firewall

   1) enable verbose logging with pfctl -xm
   2) save the output of pfctl -si and netstat -s
   3) run the following three tcpdump in parallel, and save the output:
        tcpdump -s 1600 -nvvvpSi xl0 'host 91.198.174.225'
        tcpdump -s 1600 -nvvvpSi re0 'host 91.198.174.225'
        tcpdump -s 1600 -nvvveeepi pflog0

On a client

  4) printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" |
       nc -v 91.198.174.225 80 | wc -c
  5) this should hang until some timout occurs, you need only wait 10s.

Back on the firewall

  6) re-run pfctl -si and netstat -s (again saving the output)
  7) stop the tcpdumps
  8) check /var/log/messages for anything from pf

The post the outputs :)

Daniel