On Tue, Nov 13, 2007 at 07:25:23PM +0530, Girish Venkatachalam wrote: > On 18:57:34 Nov 13, Girish Venkatachalam wrote: > > I just read the post you linked. Thanks. :) > > I read the post once again and it looks as though I understood what is > mentioned there. > > The 'no-df' in scrub rule clears the Don't fragment bit in the IP > header. When a host wrongly sends fragmented packets with the DF bit > set, this scrub rule "correctly" resets the DF bit. > > Now since the host made the mistake of sending a fragmented packet with > DF bit set ( this is like saying " Please don't fragment my packet, but > I myself have fragmented". Odd...) no-df scrub rule causes trouble. > > Scrub never causes trouble with properly formed packets. > > regards, > Girish
Ah, that makes sense! In fact, if I'd done a little more reading, I'd see that OpenBSD suggests the same: http://www.openbsd.org/faq/pf/scrub.html They mention that there are some problems (NFS specifically, and "some online games"). I believe that we've also seen some weird behavior with Active Directory, but I'd have to check to make sure. Thanks for the information! Erik _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"