Subject: Re: pf, icmp, and max-mss
To: None <>
From: Peter Postma <>
List: current-users
Date: 07/26/2006 11:38:48
On Tue, Jul 25, 2006 at 05:51:02PM -0500, M Graff wrote:
> Hash: SHA1
> I switched from ipf to pf, since that seems to be the wave of the
> present, and am having problems.
> "fxp0" is my external interface, and "vlan13" is more or less my
> internal.  "vlan14" is my wpa2 "protected" wireless, and "vlan15" is the
> public, unencrypted wireless, which I want to treat as external.
> Before I added the "max-mss 1200" part, I could not reach some web sites
> or, when I could reach them, post forms to them reliably.  I tried it
> both with and without the no-df part.
> The problem seems to be that the icmp "must fragment" response is acting
> oddly...  For one, it seems my firewall is GENERATING them at times.
> This is odd since no fragmentation should be necessary coming from an
> interface with 1500 MTU onto one with 1500 MTU.

But you have max-mss 1200 which means max MTU = 1200 + 20 + 20 = 1240.
I think you want to specify the interface in the scrub rule to perform
these checks on (and maybe also the direction).

> For two, the ICMP must
> fragment is not being passed across the firewall to the machines on the
> private wire vlans.

Not sure.

Peter Postma