tcp connections & funny hop counts??

[Alain Astgen <alain@cng.fr>]

Our network is behind a dual-homed firewall running OpenBSD/i386
v2.6-release with all the security patches.

Approximately since we moved the firewall from 2.5 to 2.6 (it was a fresh
install) we noticed a strange timeout problem when trying to establish any
kind of a tcp connection with a particular machine in Germany. The problem
became apparent when the mail destined for a particular domain (for which
the machine in question is the MX) started failing.

Tcp connections attempts from the *internal* network to the affected
machine fail with no response from the remoote end.. Just about the only
thing that does work is traceroute, however it needs *more* than 30 hops
to reach the destination.

Tcp connection attempts from the *external* network to the "affected"
machine work fine.

Tcp connection attempts from the *internal* network to anywhere else work
fine.

Tcp connection attempts from the *external* network to anywhere else work
fine.

Tcp connection attempts from the firewall itself to the "affected" machine
work fine.

Tcp connection attempts from the firewall itself to anywhere else work
fine.

We are running a very reduced set of services on the OpenBSD firewall:
syslogd, cron, ipf/ipmon, getty.

There is no trace of the "affected" machine in the ipflog.

If anyone can suggest any solutions how to get the mail to the "affected"
MX machine working, we would be very grateful.

The only thing that we can think of is that something (ipf, tcp stack?) is
blocking the packets as they need more than 30 hops to reach the
destination. Does that make any sense?

Thanks in advance...