On Tue, Nov 13, 2007 at 07:25:23PM +0530, Girish Venkatachalam wrote:
> On 18:57:34 Nov 13, Girish Venkatachalam wrote:
> > I just read the post you linked. Thanks. :)
> 
> I read the post once again and it looks as though I understood what is
> mentioned there.
> 
> The 'no-df' in scrub rule clears the Don't fragment bit in the IP
> header. When a host wrongly sends fragmented packets with the DF bit
> set, this scrub rule "correctly" resets the DF bit.
> 
> Now since the host made the mistake of sending a fragmented packet with
> DF bit set ( this is like saying " Please don't fragment my packet, but
> I myself have fragmented". Odd...) no-df scrub rule causes trouble.
> 
> Scrub never causes trouble with properly formed packets.
> 
> regards,
> Girish

Ah, that makes sense!  In fact, if I'd done a little more reading, I'd
see that OpenBSD suggests the same:
http://www.openbsd.org/faq/pf/scrub.html

They mention that there are some problems (NFS specifically, and "some
online games").  I believe that we've also seen some weird behavior
with Active Directory, but I'd have to check to make sure.

Thanks for the information!
Erik
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to