Subject: Re: pf, icmp, and max-mss
To: None <firstname.lastname@example.org>
From: Peter Postma <email@example.com>
Date: 07/26/2006 11:38:48
On Tue, Jul 25, 2006 at 05:51:02PM -0500, M Graff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I switched from ipf to pf, since that seems to be the wave of the
> present, and am having problems.
> "fxp0" is my external interface, and "vlan13" is more or less my
> internal. "vlan14" is my wpa2 "protected" wireless, and "vlan15" is the
> public, unencrypted wireless, which I want to treat as external.
> Before I added the "max-mss 1200" part, I could not reach some web sites
> or, when I could reach them, post forms to them reliably. I tried it
> both with and without the no-df part.
> The problem seems to be that the icmp "must fragment" response is acting
> oddly... For one, it seems my firewall is GENERATING them at times.
> This is odd since no fragmentation should be necessary coming from an
> interface with 1500 MTU onto one with 1500 MTU.
But you have max-mss 1200 which means max MTU = 1200 + 20 + 20 = 1240.
I think you want to specify the interface in the scrub rule to perform
these checks on (and maybe also the direction).
> For two, the ICMP must
> fragment is not being passed across the firewall to the machines on the
> private wire vlans.