Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 -> 193.99.144.85 0:0
all udp 84.60.163.18:3790 -> 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123 MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 -> 84.60.163.18:55884 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 -> 84.60.163.18:54733 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 -> 84.60.163.18:53237 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 -> 84.60.163.18:55113 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 -> 84.60.163.18:58754 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 -> 84.60.163.18:54019 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 -> 84.60.163.18:62152 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 -> 84.60.163.18:61073 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 -> 84.60.163.18:51917 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 -> 84.60.163.18:53399 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any -> (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 -> 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123 MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52582 -> 84.60.163.18:65442 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0
all tcp 192.168.122.16:52585 -> 84.60.163.18:52933 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52587 -> 84.60.163.18:57017 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52588 -> 84.60.163.18:51838 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52589 -> 84.60.163.18:54659 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52591 -> 84.60.163.18:53183 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52592 -> 84.60.163.18:51607 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52593 -> 84.60.163.18:54610 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52595 -> 84.60.163.18:51144 -> 213.35.101.4:21
TIME_WAIT:TIME_WAIT
all tcp 192.168.122.16:52597 -> 84.60.163.18:63712 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all icmp 84.60.163.18:256 <- 84.184.202.84 0:0
all tcp 192.168.122.16:52601 -> 84.60.163.18:51174 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52602 -> 84.60.163.18:63336 -> 213.35.101.4:21
ESTABLISHED:ESTABLISHED

INFO:
Status: Enabled for 0 days 00:04:18 Debug: Urgent

State Table Total Rate
current entries 24
searches 6559 25.4/s
inserts 234 0.9/s
removals 210 0.8/s
Counters
match 3296 12.8/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 1 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s

TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s

LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 100000

TABLES:

OS FINGERPRINTS:
382 fingerprints loaded


Regards
Hagen Volpers