PF, bridge, states and window scaling problem

Erik Osterholm freebsd-lists-erik at
Tue Nov 13 08:45:22 PST 2007

On Tue, Nov 13, 2007 at 07:25:23PM +0530, Girish Venkatachalam wrote:
> On 18:57:34 Nov 13, Girish Venkatachalam wrote:
> > I just read the post you linked. Thanks. :)
> I read the post once again and it looks as though I understood what is
> mentioned there.
> The 'no-df' in scrub rule clears the Don't fragment bit in the IP
> header. When a host wrongly sends fragmented packets with the DF bit
> set, this scrub rule "correctly" resets the DF bit.
> Now since the host made the mistake of sending a fragmented packet with
> DF bit set ( this is like saying " Please don't fragment my packet, but
> I myself have fragmented". Odd...) no-df scrub rule causes trouble.
> Scrub never causes trouble with properly formed packets.
> regards,
> Girish

Ah, that makes sense!  In fact, if I'd done a little more reading, I'd
see that OpenBSD suggests the same:

They mention that there are some problems (NFS specifically, and "some
online games").  I believe that we've also seen some weird behavior
with Active Directory, but I'd have to check to make sure.

Thanks for the information!

More information about the freebsd-questions mailing list