In message <20020318182202.GD14297@night-porter.duskware.de>, Martin Husemann w
rites:
>> Sorry, I didn't know I needed to set the sysctl variable. But the above
>> document doesn't say anything about "options MSS_CLAMPING" line.
>> isn't required any more?
>
>No.
>
>To be more precise: the code in ip_nat.c is there always, not depending
>on any additional options besides the "pseudo-device ipf".
>
>The clamping is not enabled unless you explicitly request it in your 
>ipnat.conf file, as described in the URL I referenced,
>http://www.netbsd.org/Documentation/network/pppoe/#clamping.
>
>Setting the sysctl variable net.inet.tcp.mss_ifmtu to 1 will make connections
>established from the PPPoE router use the small MSS, even without MSS clamping
>.

There are limitations on how well that works.  I posted a message (and 
a fix for 1.5.2, but it translates easily to -current, and I could 
supply that, too, if anyone wants) on March 1 -- it should be in the 
archives.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com