Subject: Re: pf, icmp, and max-mss
To: Christian Hattemer <c.hattemer@arcor.de>
From: M Graff <explorer@flame.org>
List: current-users
Date: 07/27/2006 21:12:28
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My problem was traced down to the use of VLANs on an interface that I
thought supported the larger packet size, but turns out does not. I
switched back to an fxp card, and all is well. Just another way rtk
blows...
The REAL cause is every site out there believing books that tell them to
block ALL ICMP traffic. But that's another rant.
- --Michael
Christian Hattemer wrote:
> Hi,
>
> when I changed from 3.0 to -current I also noticed that IPF now seems to
> require restricting the MSS. The option is named mssclamp there.
>
> I thought this would be one of the several flaws that IPF exhibits now,
> compared to the version in 3.0 with a nearly unchanged ipf.conf (I only
> removed some log keywords and a few block rules).
>
> I have changed to PF now and had used max-mss from the beginning. But your
> report that PF also won't work reliably without restricting the MSS seems
> to indicate that the cause for this particular problem might be somewhere
> else.
>
> Bye, Chris
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFEyXKMuzMQWQwZDN0RAmtFAJ4oYjcwFFRcDjitRC1e7ksLLSxZ0QCfabGo
ig+OQ9G5XQTnoZAt/w6wVC4=
=Barg
-----END PGP SIGNATURE-----