On 2008-04-19, Moe Sizlak <sizlak1@gmail.com> wrote:
quoted text
>  Recently I moved from freebsd 6 to openbsd 4.2 but have had some problems.
>
> I get a lot of timeouts on web pages with a high number of hops and I think
> it may be something to do with either pf and/or sysctl.
>
> Any help in diagnosing these timeouts much appreciated.

quoted text
> ext_if="pppoe0"
> scrub in all

Read "MTU/MSS ISSUES" in pppoe(4). This is most likely your problem,
but I'll continue with some other things in case it doesn't:

quoted text
> sysctl -w net.inet.tcp.mssdflt=1452
> sysctl -w net.inet.tcp.recvspace=131072
> sysctl -w net.inet.tcp.sendspace=131072
> sysctl -w net.inet.udp.recvspace=139264
> sysctl -w net.inet.udp.sendspace=32768

Does it work any better if you don't touch the knobs?

quoted text
> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
> block in quick on $ext_if inet proto tcp from any to any flags SF/SFRA
> block in quick on $ext_if inet proto tcp from any to any flags /SFRA
> block in quick on $ext_if inet proto tcp from any to any flags F/SFRA
> block in quick on $ext_if inet proto tcp from any to any flags U/SFRAU
> block in quick on $ext_if inet proto tcp from any to any flags P/P

These are already covered by "block all", not your problem but
they're redundant.

quoted text
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass in inet proto icmp all icmp-type echoreq  keep state
etc.

"keep state" and "flags S/SA" are set by default now, not your problem
but leaving them out makes for an easier-to-read ruleset. 

If you still have problems after fixing MTU then try "keep state"
rather than "modulate state". if you still have problems after that,
pfctl -x misc, and look at the logs.