PF, bridge, states and window scaling problem
Erik Osterholm
freebsd-lists-erik at erikosterholm.org
Tue Nov 13 08:45:22 PST 2007
On Tue, Nov 13, 2007 at 07:25:23PM +0530, Girish Venkatachalam wrote:
> On 18:57:34 Nov 13, Girish Venkatachalam wrote:
> > I just read the post you linked. Thanks. :)
>
> I read the post once again and it looks as though I understood what is
> mentioned there.
>
> The 'no-df' in scrub rule clears the Don't fragment bit in the IP
> header. When a host wrongly sends fragmented packets with the DF bit
> set, this scrub rule "correctly" resets the DF bit.
>
> Now since the host made the mistake of sending a fragmented packet with
> DF bit set ( this is like saying " Please don't fragment my packet, but
> I myself have fragmented". Odd...) no-df scrub rule causes trouble.
>
> Scrub never causes trouble with properly formed packets.
>
> regards,
> Girish
Ah, that makes sense! In fact, if I'd done a little more reading, I'd
see that OpenBSD suggests the same:
http://www.openbsd.org/faq/pf/scrub.html
They mention that there are some problems (NFS specifically, and "some
online games"). I believe that we've also seen some weird behavior
with Active Directory, but I'd have to check to make sure.
Thanks for the information!
Erik
More information about the freebsd-questions
mailing list