OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
PF && 'traceroute -I host' && 'tracert host' problem

From: Атанас Владимиров (don.nascogmail.com)
Date: Wed Aug 18 2010 - 19:08:23 CDT


Hi
I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
Everything works fine, but when I try to traceroute a host with -I flag
(force to use icmp) on my obsd fw
I got Request time out on all hops exclude the last one, which I was my
target to traceroute. Here is an example:

[ns]~$ traceroute -I data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 60 byte packets
 1 * * *
 2 * * *
 3 * * *
 4 web.data.bg (195.149.248.130) 0.740 ms 0.707 ms 0.733 ms

As you can see only the last hop is present.
Example without -I flag (using udp);

[ns]~$ traceroute data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 40 byte packets
 1 gw.tbc.bg (94.26.7.33) 0.591 ms 0.462 ms 0.443 ms
 2 peer.tbc.bg (94.26.50.2) 0.961 ms 1.317 ms 1.965 ms
 3 85.91.141.65 (85.91.141.65) 0.866 ms 0.905 ms 1.93 ms
 4 web.data.bg (195.149.248.130) 0.847 ms 0.732 ms 0.712 ms

When I use 'tracert host' on MS Windows box behind my obsd fw, I got a same
behavior

 C:\Users\Administrator>tracert data.bg
Tracing route to data.bg [195.149.248.130]
over a maximum of 30 hops:
  1 <1 ms <1 ms <1 ms ns.bsdbg.net [192.168.1.1]
  2 * * * Request timed out.
  3 * * * Request timed out.
  4 * * * Request timed out.
  5 <1 ms 1 ms 1 ms web.data.bg [195.149.248.130]
Trace complete.

Here first hop is my obsd fw. I use tcpdump to see what actually happens:

[ns]~# tcpdump -nettti pflog0 host vlado and icmp
tcpdump: listening on pflog0, link-type PFLOG
Aug 19 02:29:32.165656 rule 85/(match) pass in on em1: 192.168.1.2 >
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168104 rule 120/(match) pass out on em0: 192.168.1.2 >
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168117 rule 17/(match) match out on em0: 192.168.1.2 >
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168128 rule 16/(match) match out on em0: 192.168.1.2 >
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168593 rule 120/(match) pass in on em0: 94.26.7.33 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:33.168613 rule 14/(match) block out on em1: 94.26.7.33 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:36.960715 rule 120/(match) pass in on em0: 94.26.7.33 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:40.960831 rule 120/(match) pass in on em0: 94.26.7.33 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:44.962196 rule 120/(match) pass in on em0: 94.26.50.2 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:48.961438 rule 120/(match) pass in on em0: 94.26.50.2 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:52.961678 rule 120/(match) pass in on em0: 94.26.50.2 >
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:56.960795 rule 120/(match) pass in on em0: 85.91.141.65 >
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:00.960785 rule 120/(match) pass in on em0: 85.91.141.65 >
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:05.002249 rule 120/(match) pass in on em0: 85.91.141.65 >
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:08.960640 rule 120/(match) pass in on em0: 195.149.248.130 >
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.961639 rule 120/(match) pass in on em0: 195.149.248.130 >
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.962888 rule 120/(match) pass in on em0: 195.149.248.130 >
192.168.1.2: icmp: echo reply

When I turn off pf (pfctl -d) 'traceroute -I' work as it should.
I really don't know what happen.
Thanks in advance,
Atanas

Here is my pf.conf
##############
pf.conf
##############

################ Macros ######################

### Interfaces ###
 ExtIf ="em0"
 IntIf ="em1"

### Hosts ###
 vl="192.168.1.2"
 jl="192.168.1.3"
 ve="192.168.1.4"
 ntp="192.168.1.5"

### Queues, States and Types ###
 IcmpType ="icmp-type 8 code 0"
 SynState ="flags S/SAFR synproxy state"
 TcpState ="flags S/SAFR modulate state"
 UdpState ="keep state"

### Ports ###
# Squid
 squid="2020"

# Remote Desktop Connection
 rdc_int="3389"
 rdc_ext="4000"

# Skype
 vl_skype="30001"
 jl_skype="30002"
 ve_skype="30003"

# uTorrent
 vl_torrent="30004"
 jl_torrent="30005"
 ve_torrent="30006"
 urange="30004:30006"

# HFS
 vl_hfs="8080"

# VsFTP
 ftprange="55000:60000"
 FtpPort ="8021"

# Symux
 symux="2100"

# Battle.net
 bnet="6112"

# Ssh
 ssh_ext="443"

### Stateful Tracking Options (STO) ###
 ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes
254)"
 IntIfSTO ="(max 250, source-track rule, max-src-conn 100, max-src-nodes
254, max-src-conn-rate 75/20)"
 PostfxSTO ="(max 100, source-track rule, max-src-states 5,
max-src-nodes 30, max-src-conn-rate 10/300, overload <BLACKLIST> flush
global, tcp.established 45)"
 SpamdSTO ="(max 500, source-track rule, max-src-conn 10, max-src-nodes
300, max-src-conn-rate 2/300, tcp.established 10)"
 SshSTO ="(max 10, source-track rule, max-src-conn 10, max-src-nodes
5, max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"
 ntpSTO ="(max 500, source-track rule, max-src-states 30,
max-src-conn-rate 20/5, overload <OVERLOAD_NTP> flush global)"
 TorSTO ="(max 250, source-track rule, max-src-conn 1, max-src-nodes
250, max-src-conn-rate 3/300, tcp.established 60)"
 ApacheSTO ="(max 30, source-track rule, max-src-conn 10, max-src-nodes 4,
max-src-conn-rate 20/60, tcp.established 60)"

### Tables ###
  table <BLACKLIST> persist file "/etc/blacklist"
  table <OVERLOAD_SSH> persist
  table <OVERLOAD_NTP> persist
  table <bgnets> file "/etc/bgnets"
  table <spamd-white> persist
  table <proxy-users> persist { 80.251.14.106, 193.110.130.103,
85.92.222.254, \
    72.93.1.168, 76.19.242.55 }
  table <isp> persist { 94.26.0.0/17 }

################ Options
######################################################
### Misc Options
 set debug urgent
 set reassemble yes
 set require-order yes
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization aggressive
 set timeout { frag 30, tcp.established 1200 }
 set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
 set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
 set timeout { other.first 30, other.single 30, other.multiple 30 }

################ Queueing
####################################################

 altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER, ISP }
  queue INTER bandwidth 2% hfsc (upperlimit 1960Kb) \
 { i_ntp, i_ack, i_dns, i_ssh, i_http, i_bulk, i_bittor }
        queue i_ntp bandwidth 10% priority 8 qlimit 500 hfsc (realtime
10%)
    queue i_ack bandwidth 30% priority 7 qlimit 500 hfsc (realtime 25%)
    queue i_dns bandwidth 10% priority 6 qlimit 500 hfsc (realtime 3% )
    queue i_ssh bandwidth 1% priority 6 qlimit 500 hfsc (realtime 2% )
    queue i_http bandwidth 20% priority 5 qlimit 500 hfsc (realtime (25%,
5000, 15%))
    queue i_bulk bandwidth 28% priority 4 qlimit 500 hfsc (realtime 20%
default)
    queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (upperlimit
90%)

  queue BG bandwidth 30% hfsc (upperlimit 30Mb) \
 { b_ack, b_dns, b_ntp, b_skype b_rdc, b_http, b_bulk, b_bittor }
    queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime 10%)
    queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime 1% )
    queue b_ntp bandwidth 1% priority 6 qlimit 500 hfsc (realtime 1% )
    queue b_skype bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
    queue b_rdc bandwidth 10% priority 4 qlimit 500 hfsc (realtime 10%)
    queue b_http bandwidth 30% priority 3 qlimit 500 hfsc (realtime 30%)
    queue b_bulk bandwidth 37% priority 2 qlimit 500 hfsc (realtime 10%)
    queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc (upperlimit
93%)

  queue ISP bandwidth 65% hfsc { isp_ack, isp_bulk }
        queue isp_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime
10%)
        queue isp_bulk bandwidth 90% priority 5 qlimit 500 hfsc

################ Translation and Filtering
###################################

### Blocking spoofed packets: enable "set state-policy if-bound" above
 antispoof log quick for { lo0 $IntIf ($ExtIf) }

### Block to/from illegal sources/destinations
 block quick inet6
 block in quick on $ExtIf from <BLACKLIST> to any
 block in quick on $ExtIf inet proto tcp from <OVERLOAD_SSH> to $ExtIf
port $ssh_ext
 block in quick on $ExtIf inet proto udp from <OVERLOAD_NTP> to $ExtIf
port ntp
 block in quick on $ExtIf inet from any to 255.255.255.255
 block in log quick on $ExtIf inet from urpf-failed to any
 block in log quick on $ExtIf inet from no-route to any

### BLOCK all in/out on all interfaces by default and log
 block log on $ExtIf
 block return log on $IntIf

### Network Address Translation (NAT with outgoing source port
randomization)
 match out log on egress from (self) \
    to any tag SELF nat-to ($ExtIf:0) port 1024:65535
 match out log on egress from !$ExtIf \
    to any nat-to ($ExtIf:0) port 1024:65535

### Packet normalization ( "scrubbing" )
 match log on $ExtIf all scrub (random-id no-df reassemble tcp max-mss 1460)

### Ftp ( secure ftp proxy for LAN )
 anchor "ftp-proxy/*"

### $ExtIf inbound ################

# Named ( bind dns )
  pass in log on $ExtIf inet proto udp from any \
 to ($ExtIf) port domain $UdpState queue i_dns rdr-to lo0
  pass in log on $ExtIf inet proto udp from <bgnets> \
 to ($ExtIf) port domain $UdpState queue b_dns rdr-to lo0

# OpenSSH
# pass in log on $ExtIf inet proto tcp from any \
# to ($ExtIf) port ssh $TcpState $SshSTO queue b_bulk rdr-to lo0

# Postfix
  pass in log on $ExtIf inet proto tcp from <spamd-white> \
 to ($ExtIf) port smtp $SynState $PostfxSTO queue i_skype rdr-to lo0
  pass in log on $ExtIf inet proto tcp from !<spamd-white> \
 to ($ExtIf) port smtp $SynState $PostfxSTO rdr-to lo0 port spamd

# Apache
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port www $SynState $ApacheSTO queue (b_http, b_ack) rdr-to lo0
  pass in log on $ExtIf inet proto tcp from !<bgnets> \
 to ($ExtIf) port www $SynState $ApacheSTO queue (i_http, i_ack) rdr-to lo0

# Ntpd ( time server )
  pass in log on $ExtIf inet proto udp from any \
 to ($ExtIf) port ntp $UdpState $ntpSTO queue i_ntp tag NTP rdr-to $ntp
  pass in log on $ExtIf inet proto udp from <bgnets> \
 to ($ExtIf) port ntp $UdpState $ntpSTO queue b_ntp tag NTP rdr-to $ntp
  pass in log on $ExtIf inet proto udp from <isp> \
 to ($ExtIf) port ntp $UdpState $ntpSTO queue isp_ack tag NTP rdr-to $ntp

# RDC_BG
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $rdc_ext $SynState queue (b_rdc) tag RDC rdr-to $vl port
$rdc_int

# Squid
  pass in log on $ExtIf inet proto tcp from <proxy-users> \
 to ($ExtIf) port $squid $SynState rdr-to lo0

# Skype (queue BG)
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $vl_skype $TcpState queue (b_skype) tag SKYPE rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $jl_skype $TcpState queue (b_skype) tag SKYPE rdr-to $jl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $ve_skype $TcpState queue (b_skype) tag SKYPE rdr-to $ve

# Skype (queue INTER)
  pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
 to ($ExtIf) port $vl_skype $TcpState tag SKYPE rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
 to ($ExtIf) port $jl_skype $TcpState tag SKYPE rdr-to $jl
  pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
 to ($ExtIf) port $ve_skype $TcpState tag SKYPE rdr-to $ve

# Battle.net
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $bnet $TcpState queue (b_ack) rdr-to $vl

# uTorrent (queue INTER)
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (i_bittor, i_ack)
rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (i_bittor, i_ack)
rdr-to $jl
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (i_bittor, i_ack)
rdr-to $ve

# uTorrent (queue BG)
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (b_bittor, b_ack)
rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (b_bittor, b_ack)
rdr-to $jl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (b_bittor, b_ack)
rdr-to $ve

# uTorrent (queue ISP)
  pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
 to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
 to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
rdr-to $jl
  pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
 to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
rdr-to $ve

# HFS
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $vl_hfs $SynState $ApacheSTO queue (b_http) rdr-to $vl

# VsFtp (queue BG)
# pass in log on $ExtIf inet proto tcp from <bgnets> \
# to ($ExtIf) port ftp $SynState queue (b_http, b_ack)
# pass in log on $ExtIf inet proto tcp from <bgnets> \
# to ($ExtIf) port $ftprange $SynState queue (b_http, b_ack)

# VsFtp (queue INTER)
# pass in log on $ExtIf inet proto tcp from !<bgnets> \
# to ($ExtIf) port ftp $SynState queue (i_http, i_ack)
# pass in log on $ExtIf inet proto tcp from !<bgnets> \
# to ($ExtIf) port $ftprange $SynState queue (i_http, i_ack)

# Ping
# pass in log on $ExtIf inet proto icmp from any \
# to ($ExtIf) $UdpState

### End $ExtIf inbound ###########

### $IntIf outbound ###########

# ntp.bsdbg.net
  pass out log on $IntIf inet proto udp from any \
 to $ntp port ntp $UdpState tagged NTP

# RDC
  pass out log on $IntIf inet proto tcp from any \
 to $vl port $rdc_int $TcpState tagged RDC

# Battle.Net
  pass out log on $IntIf inet proto {tcp, udp} from <bgnets> \
 to $vl port $bnet $TcpState

# Skype
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $vl port $vl_skype $TcpState tagged SKYPE
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $jl port $jl_skype $TcpState tagged SKYPE
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $ve port $ve_skype $TcpState tagged SKYPE

# uTorrent
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $vl port $vl_torrent $TcpState
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $jl port $jl_torrent $TcpState
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $ve port $ve_torrent $TcpState

# HFS
  pass out log on $IntIf inet proto tcp from <bgnets> \
 to $vl port $vl_hfs $TcpState

# Allow self to reach Lan
  pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
 to $IntIf:network $TcpState

# Ping
# pass out log on $IntIf inet proto icmp from any \
# to $IntIf:network $UdpState

### End $IntIf outbound ##########

### $IntIf inbound ###############

# Allow all out
  pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
 to any $TcpState tag BULK

  pass in log on $IntIf inet proto icmp from $IntIf:network \
 to any $UdpState

# Capcha Torrent traffic
  pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network port
$urange \
 to any $TcpState tag BITTOR

# ntp.bsdbg.net
  pass in log on $IntIf inet proto {tcp, udp} from $ntp \
 to any $TcpState tag NTP

# Ftp-proxy
  pass in log on $IntIf inet proto tcp from $IntIf:network \
 to !$IntIf port ftp $TcpState $IntIfSTO rdr-to lo0 port $FtpPort

# Symux
 pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
  to $IntIf port $symux $TcpState $IntIfSTO rdr-to lo0

### End $IntIf inbound ############

### $ExtIf outbound ###############

#################
# TCP #
#################
### Queue bulk (i_bulk $ b_bulk & isp_bulk) ###
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any $TcpState $ExtIfSTO queue (i_bulk, i_ack) tagged BULK
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> $TcpState $ExtIfSTO queue (b_bulk, b_ack) tagged BULK
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <isp> $TcpState $ExtIfSTO queue (isp_bulk, isp_ack) tagged BULK

### Queue default (i_bittor & b_bittor & isp_bulk) ###
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any $TcpState $ExtIfSTO queue (i_bittor, i_ack) tagged BITTOR
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> $TcpState $ExtIfSTO queue (b_bittor, b_ack) tagged BITTOR
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <isp> $TcpState $ExtIfSTO queue (isp_bulk, isp_ack) tagged BITTOR

### Queue ssh (i_ssh)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to !<bgnets> port ssh $TcpState $ExtIfSTO queue i_ssh

### SELF ###
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any $TcpState queue i_bulk tagged SELF
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> $TcpState queue b_bulk tagged SELF
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <isp> $TcpState queue isp_bulk tagged SELF

### ntp.bsdbg.net ###
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any $TcpState queue i_ntp tagged NTP
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> $TcpState queue b_ntp tagged NTP
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <isp> $TcpState queue isp_bulk tagged NTP

#################
# UDP #
#################
### Queue bulk (i_bulk & b_bulk)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any $UdpState $ExtIfSTO queue i_bulk tagged BULK
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> $UdpState $ExtIfSTO queue b_bulk tagged BULK
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <isp> $UdpState $ExtIfSTO queue isp_bulk tagged BULK

### Queue torrent (i_bittor & b_bittor)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any $UdpState $ExtIfSTO queue i_bittor tagged BITTOR
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> $UdpState $ExtIfSTO queue b_bittor tagged BITTOR
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <isp> $UdpState $ExtIfSTO queue isp_bulk tagged BITTOR

### Queue dns (i_dns & b_dns)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port domain $UdpState queue i_dns
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port domain $UdpState queue b_dns
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <isp> port domain $UdpState queue isp_bulk

### Queue ntp (i_ntp & b_ntp)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any $UdpState queue i_ntp tagged NTP
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> $UdpState queue b_ntp tagged NTP
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <isp> $UdpState queue isp_bulk tagged NTP

### Battle.net ###
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $bnet $UdpState queue b_ack

### Ping ###
  pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
 to any $UdpState queue i_dns
  pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
 to <bgnets> $UdpState queue b_dns
  pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
 to <isp> $UdpState queue isp_ack

### SELF ###
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any $UdpState queue i_bulk tagged SELF
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> $UdpState queue b_bulk tagged SELF
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <isp> $UdpState queue isp_bulk tagged SELF
  pass out log on $ExtIf inet proto icmp from ($ExtIf) \
 to any $UdpState tagged SELF

### End $ExtIf outbound ###########

################################ END ##############################

My dmesg
##############
DMESG
##############

OpenBSD 4.7-stable (NS) #1: Wed Aug 18 21:28:32 EEST 2010
    rootns.bsdbg.net:/usr/src/sys/arch/amd64/compile/NS
real mem = 1054801920 (1005MB)
avail mem = 1015279616 (968MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 0xf0000 (70 entries)
bios0: vendor Phoenix Technologies, LTD version "ASUS M2NPV-VM ACPI BIOS
Revision 1301" date 02/05/2008
bios0: ASUSTek Computer INC. M2NPV-VM
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP MCFG APIC
acpi0: wakeup devices HUB0(S5) XVRA(S5) XVRB(S5) XVRC(S5) UAR1(S5) UAR2(S5)
PS2M(S4) PS2K(S4) USB0(S4) USB2(S4) AZAD(S5) MMAC(S5) MMCI(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Sempron(tm) Processor 3200+, 1804.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 128KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 75 degC
acpibtn0 at acpi0: PWRB
aibs0 at acpi0
aibs0: FSIF: misformed package: 3/5, assume 5
pci0 at mainbus0 bus 0
"NVIDIA C51 Host" rev 0xa2 at pci0 dev 0 function 0 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 1 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 2 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 3 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 4 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 5 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 6 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 7 not configured
vga1 at pci0 dev 5 function 0 "NVIDIA GeForce 6150" rev 0xa2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"NVIDIA MCP51 Host" rev 0xa2 at pci0 dev 9 function 0 not configured
pcib0 at pci0 dev 10 function 0 "NVIDIA MCP51 ISA" rev 0xa3
nviic0 at pci0 dev 10 function 1 "NVIDIA MCP51 SMBus" rev 0xa3
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x51: 512MB DDR2 SDRAM non-parity PC2-5300CL5
iic1 at nviic0
"NVIDIA MCP51 Memory" rev 0xa3 at pci0 dev 10 function 2 not configured
pciide0 at pci0 dev 13 function 0 "NVIDIA MCP51 IDE" rev 0xa1: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD800JB-00JJC0>
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
ppb0 at pci0 dev 16 function 0 "NVIDIA MCP51 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 1
em0 at pci1 dev 8 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 2
int 16 (irq 10), address 00:07:e9:10:32:a8
em1 at pci1 dev 9 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 2
int 17 (irq 11), address 00:07:e9:10:2a:20
pchb0 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00: core rev
DH-F2
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
it0 at isa0 port 0x2e/2: IT8716F rev 1, EC port 0x290
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b