tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPv6 TCP sessions hangs when using PF keep state

MSSCLAMP is for example an option you have to PPP on DSL, which is
enabled by default, but when you are not using PPP(oE) or when you are
using kernel version of PPPoE, for example on NetBSD, then you need to
do MSSCLAMP in your packet filter.

On NetBSD this is not PF!

I know that IPTABLES from Linux have an option for MSSCLAMP, OpenWRT's
using it for example as default for PPP(oE)/DSL connections.

PF is dropping fragments, because it's explicitly telling the other
side not to fragment packets using the DF flag. this is for preventing
some attacks that use fragmented packets to get inside of sth, i have
no idea. maybe that can be disabled too and maybe you even get MSSCLAMP
on your PF working. that's where I would start searching for.

I had the same problems with an BFSR41 from Linksys on my ADSL
connection, so i know about it.

i even got a link for you:

On Tue, 8 Jan 2013 11:01:35 +0100
Anthony Mallet <> wrote:

> A SYN packet with MSS 1440 is sent from NetBSD to Solaris. Solaris
> enventually gets a "packet too big" from internet. It then starts
> sending fragments of size 1494, which is correct IMHO. If running PF,
> those fragments will be dropped.
> I mention Solaris explicitly, because Linux has a different
> behaviour. When it gets the "packet too big", it seems that it sends
> smaller regular tcp packets instead of using fragments.
> All in all, nothing like this would be happening if NetBSD would send
> SYN with MSS 1420.

Home | Main Index | Thread Index | Old Index