pf stuck

[Andrea Venturoli]

Hello.

Today a box of mine (8.4p16/amd64) stopped working as a router; I don't 
have a clear picture, but the internal nets were working perfectly, 
while the external interfaces lagged, dropped connections or stopped 
packets from passing.

The box is running pf (for handling multiple Internet lines) + ipfw (for 
firewalling).
I tried a simple telnet xxx:80 and this is what I observed:
_ tcpdump would see packets going out and replies coming in;
_ an early ipfw allow rule with setup keep-state would see no packet 
going out and would not create any dinamic rule.

This lead me to look into pf...
"/etc/rc.d/pf restart" did not solve.
"/etc/rc.d/pf stop ; /etc/rc.d/pf start" did!



These are my pf rules:
> pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state
> pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state
> pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24 to ! 192.168.x.0/24 no state
> pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state
> pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state
> pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to ! a.b.c.d/29 no state
> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
> pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to ! i.j.k.l/29 no state

These rules are working fine, but have hanged already twice in two weeks 
(once on this box, once on an almost identical one).



Is there any known problem wrt running pf? pf+ipfw? pf on 8.4?
Any hint on how to search for what's wrong?



  bye & Thanks
	av.

P.S. Please, forgive me, but I'm quite noob with pf.