https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598
Max <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from Max <[email protected]> --- I have reproduced the problem. I think we shouldn't use scrub rule without "in" option. I.e. rule should be scrub *in* on gre0 ... Without "in" this rule is triggered twice ("B" <--> "C"): for outgoing *fragmented* echo request and for incoming fragmented echo reply. As a result, the length of the received echo request exceeds the MTU on "C" box. I think it is not good. PF.CONF(5): "Traffic normalization is used to sanitize packet content in such a way that there are no ambiguities in packet interpretation on the receiving side. The normalizer does IP fragment reassembly to prevent attacks that confuse intrusion detection systems by sending overlapping IP fragments." Do we really need "max-mss 1360" on outgoing flow? However, appearance of "Destination Host Unreachable" remains unclear to me. It is routing stuff. Need to do some research. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
