Hi again, Sorry for asking this, but;
Did you really test the no-df option in the case where *all* UDP-fragments have DF set? It seems to work fine when "some" have the flag. What syntax in pf.conf did you use to test it so I can compare? I'm not 100% sure mine is correct even though it sure looks that way, examples tested below. Most examples I've seen provide more than one option inside the brackets, it would be sad if instead that was the issue. On Sep 20, 2010, at 10:49 AM, [email protected] wrote: > Synopsis: syntax change of pf might have broken no-df option > > State-Changed-From-To: open->closed > State-Changed-By: henning > State-Changed-When: Mon Sep 20 02:34:02 MDT 2010 > State-Changed-Why: > no-df works fine, just verified again match all scrub (no-df) doesnt work. match in all scrub (no-df) match out all scrub (no-df) doesnt work. match in all scrub (no-df) doesnt work. match in all scrub no-df gives syntax error so cant test. /// Full syntax of pf.conf below: ext_if="bnx0" table <annoyers> persist set skip on lo match in all scrub (no-df) block in inet6 block in log block in quick from <annoyers> pass out keep state pass in proto tcp to self port ssh keep state (max-src-conn-rate 10/60, overload <annoyers> flush global) pass in proto tcp to self port 2222 keep state (max-src-conn-rate 10/60, overload <annoyers> flush global) pass in on $ext_if proto icmp to ($ext_if) /// I cant see anything obviously wrong with this config, thus the report. :P /Regards, Einar [demime 1.01d removed an attachment of type application/pgp-signature which had a name of PGP.sig]
