I have just upgraded a OpenBSD 4.7 firewall to 5.2. The system routes
between $net1 and $net2 with pf enabled. After the upgrade ping request
from $net1 to $net2 get stuck (and vice versa). Only the first icmp
echo-req from $net1 to $net2 get answered by a icmp echo-reply, all
subsequent icmp echo-req are seen on the $net1 interface of the firewall
but no log message in pflog0 or on the $net2 interface.
I use the no state flag for the rules, because the default gateway is not
pass in log on $net1_if inet from $net1 to $net2 no state
pass in log on $net2_if inet from $net2 to $net1 no state
I have solved the problem with dedicated ICMP rules after the rules above.
pass in log on $net1_if proto icmp from $net1 to $net2
pass in log on $net2_if proto icmp from $net2 to $net3
Why is only the first ping ok with no state flag set at the pass rule?