OpenBSD-noroutetohost

Sometimes, you'll experience some spuring "no route to host" message while your OpenBSD is facing average to high loads.

This started annoying some of my firewalls with 3.9, but I saw reports stating some peoples faced that since 3.7. In fact, you must know that default state table is 10.000 entries, why can be pretty little for highly loaded firewalls. For example, the default CheckPoint VPN-1 start with 100.000 max entries in state table.

To set up a larger state table, have a look on man pf.conf and place some things like the following in your /etc/pf.conf :

set limit { states 100000, frags 100000, src-nodes 50000 }
set optimization aggressive

Of course, you should read the pf.conf man page to set up values according to your site needs.

Additionnaly, use pfctl -si -v to see what exactly is flowing thru your firewall, and adjust your tables size accordingly.