On 2008-04-19, Moe Sizlak  wrote:

quoted text
>  Recently I moved from freebsd 6 to openbsd 4.2 but have had some problems.

>

> I get a lot of timeouts on web pages with a high number of hops and I think

> it may be something to do with either pf and/or sysctl.

>

> Any help in diagnosing these timeouts much appreciated.

> ext_if="pppoe0"

quoted text
> scrub in all

Read "MTU/MSS ISSUES" in pppoe(4). This is most likely your problem,

but I'll continue with some other things in case it doesn't:
> sysctl -w net.inet.tcp.mssdflt=1452

quoted text
> sysctl -w net.inet.tcp.recvspace=131072

> sysctl -w net.inet.tcp.sendspace=131072

> sysctl -w net.inet.udp.recvspace=139264

> sysctl -w net.inet.udp.sendspace=32768

Does it work any better if you don't touch the knobs?
> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP

quoted text
> block in quick on $ext_if inet proto tcp from any to any flags SF/SFRA

> block in quick on $ext_if inet proto tcp from any to any flags /SFRA

> block in quick on $ext_if inet proto tcp from any to any flags F/SFRA

> block in quick on $ext_if inet proto tcp from any to any flags U/SFRAU

> block in quick on $ext_if inet proto tcp from any to any flags P/P

These are already covered by "block all", not your problem but

they're redundant.
> pass out on $ext_if proto tcp all modulate state flags S/SA

quoted text
> pass in inet proto icmp all icmp-type echoreq  keep state

etc.

"keep state" and "flags S/SA" are set by default now, not your problem

but leaving them out makes for an easier-to-read ruleset. 
If you still have problems after fixing MTU then try "keep state"

rather than "modulate state". if you still have problems after that,

pfctl -x misc, and look at the logs.