From your somewhat better description, it appears to me that your PF configuration is not handling TCP retransmissions or TCP fragments properly.
I would look to any settings you may have copied/pasted from someone else's PF configuration. Flags on rules affect state table management. Scrub rules affect packet fragments, reassembly, and traffic normalization. Runtime options could also be a cause.
Since you have not shared your pf.conf file, this is all just a wild guess, of course. If you decide to share it, just redact any "real" IP addresses or other identifying information.
|