I'm using OpenBSD 4.4 as a firewall running pf.

When running a program (darcs) to sync to
a revision control repository there are
repeated http requests made.  I find that
after an indeterminate number, typically
50 to 250 such requests, the program
aborts with connection refused.

I did a tcpdump of both the inside (sis0)
interface and outside (sis1) interface and found
that the final tcp/http request consists
of a single SYN packet that is received
on the internal interface but not sent
out the external interface.  The firewall
is sending an ICMP unreachable to the client.

pfctl -s info shows that state-insert
increases by 1 every time I have the
problem.  The number of states is only
about 400 to 600, far below the 10,000
limit.  vmstat 1 seems to show free memory
the whole time.

netstat -s shows an increase of 1 in
"packets not forwardable".  And of course
there's an increase of 1 in both
"calls to icmp_error" and "destination unreachable".

Setting pfctl -x to misc or loud leaves
nothing in the log.  (I once messed with
the log, so it's remotely possible I've broken
something here.  But I don't think so.)

How can I find out more about what's going on?
If there's congestion on the outbound wire
shouldn't the SYN just be dropped so the
sending TCP stack (Linux/libcurl) can retry?

FWIW, I had queueing in my pf.conf but removed
it and there was no difference either way.

I can make the tcpdumps available to anyone
who wants them.  I'll post them somewhere public if
anybody asks.  (~700K each, gzipped)
I would prefer to send my pf.conf privately.

If this is not a pf issue please let me know
and I'll try the OpenBSD misc list.

Thanks.