Date: Tue, 13 Nov 2007 10:45:14 -0600 From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org> To: freebsd-questions@freebsd.org Cc: girishvenkatachalam@gmail.com Subject: Re: PF, bridge, states and window scaling problem Message-ID: <20071113164514.GA86464@aleph.cepheid.org> In-Reply-To: <20071113135523.GA13178@saraswathy.susmita.org> References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> <20071113022053.GA17768@saraswathy.susmita.org> <20071113054220.GA74564@aleph.cepheid.org> <20071113132734.GA16728@saraswathy.susmita.org> <20071113135523.GA13178@saraswathy.susmita.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 13, 2007 at 07:25:23PM +0530, Girish Venkatachalam wrote: > On 18:57:34 Nov 13, Girish Venkatachalam wrote: > > I just read the post you linked. Thanks. :) > > I read the post once again and it looks as though I understood what is > mentioned there. > > The 'no-df' in scrub rule clears the Don't fragment bit in the IP > header. When a host wrongly sends fragmented packets with the DF bit > set, this scrub rule "correctly" resets the DF bit. > > Now since the host made the mistake of sending a fragmented packet with > DF bit set ( this is like saying " Please don't fragment my packet, but > I myself have fragmented". Odd...) no-df scrub rule causes trouble. > > Scrub never causes trouble with properly formed packets. > > regards, > Girish Ah, that makes sense! In fact, if I'd done a little more reading, I'd see that OpenBSD suggests the same: http://www.openbsd.org/faq/pf/scrub.html They mention that there are some problems (NFS specifically, and "some online games"). I believe that we've also seen some weird behavior with Active Directory, but I'd have to check to make sure. Thanks for the information! Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071113164514.GA86464>