On Tue, Jul 25, 2006 at 05:51:02PM -0500, M Graff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I switched from ipf to pf, since that seems to be the wave of the
> present, and am having problems.
> 
> "fxp0" is my external interface, and "vlan13" is more or less my
> internal.  "vlan14" is my wpa2 "protected" wireless, and "vlan15" is the
> public, unencrypted wireless, which I want to treat as external.
> 
> Before I added the "max-mss 1200" part, I could not reach some web sites
> or, when I could reach them, post forms to them reliably.  I tried it
> both with and without the no-df part.
> 
> The problem seems to be that the icmp "must fragment" response is acting
> oddly...  For one, it seems my firewall is GENERATING them at times.
> This is odd since no fragmentation should be necessary coming from an
> interface with 1500 MTU onto one with 1500 MTU.

But you have max-mss 1200 which means max MTU = 1200 + 20 + 20 = 1240.
I think you want to specify the interface in the scrub rule to perform
these checks on (and maybe also the direction).

> For two, the ICMP must
> fragment is not being passed across the firewall to the machines on the
> private wire vlans.
> 

Not sure.

-- 
Peter Postma