>I'm running NetBSD 3.0 on Mac Mini. I noticed weird problem with gem 
>ethernet interface. It seems that enabling hardware checksums for TCP 
>and/or UDP breaks ipfilter. Outbound connections are timing out like this:
...
>This occurs only when IP filter is enabled. I can reproduce it also when 
>using tcp4csum-rx and udp4csum-rx.
...
>This config is working very well when checksums are disabled. When 
>checksums are enabled, connections are timing out.

I can duplicate this problem on 3.0/macppc on an iBook SE.  My results are
identical to yours.  I'm far from an expert on this subject, but did a little
searching out of curiousity.

>ipfstat does not show any TCP checksum fails.

Same for me, but if you have ipmon enabled and look at the results it logs,
I think you'll notice the packets it rejects are marked "bad" at the end.

A peek at the IPFilter FAQ wasn't too helpful, but I did spot this:

15. I'm using a Sun system with an eri interface, and after setting up NAT,
ICMP passes through fine, but TCP doesn't. Why?

    Try disabling hardware checksumming. Edit /etc/system and add the line:
    set ip:dohwcksum=0

(As an aside, I also came across someone's comments on why they think hardware
checksumming is a bad thing to enable: http://www.ethereal.com/lists/ethereal-users/200507/msg00234.html)

I am curious to see if this happens with other network cards with hardware
checksum support (e.g. hme, ex), I may take a crack at checking them out.

You may also want to try pf and see if it has the same problem.  (Or perhaps
I will.)

Lucky for me you mentioned this, I'm about to take my iBook out on the road for
the first time after upgrading to 3.0 and had planned on using ipf and had
also enabled the hardware checksumming for gem...

Regards,

Dave