>>>>> "rm" == Roy Marples <roy%marples.name@localhost> writes:
rm> I've attached my current pf.conf As Brian pointed out in this
rm> thread, PF does not handle IPv6 fragments
That's bad but it's not the problem. There will never be any IPv6 TCP
fragments, even with all this nonsense going on. There can be UDP
fragments, though.
rm> if I drop the MTU on my clients to 1492 then I don't need the
rm> scrub mss line. Anyone have an opinion on which would be
rm> better?
the scrubbing is better.
If all hosts on an ethernet do not have the same MTU set, this will
cause a second level of brokenness---now you have two broken things
instead of one. That scenario's likely because you'll forget, or
you'll have test systems or guests or VM's or whatever.
Attachment:
pgpNTcCgPkMgn.pgp
Description: PGP signature