On Sat, 21 Nov 2009 23:36:33 +0600, Victor Lyapunov
<fullblastst...@gmail.com> wrote:
>> This kind of thing is often due to a mtu blackhole - when a larger
>> email causes a full size IP packet to be sent. I don't see why PF
>> should make a difference though, IFAIK it's supposed to let ICMP through
>> when it's learned state on a tcp connection.
> Thanks for your answer.
> Don't know whether it is relevant to the particular issue, but i tried
> both rulesets first with `scrub in all fragment reassemble` and
> another one without it, but neither worked for me. I'm kinda upset by
> the fact that pf can't handle large emails.
> Any other ideas how to possibly fix it, please?

If on FreeBSD 7 or higher you can get rid of the keep state. It's implicit.
Secondly, please test if the problem disappears by removing the rules and
simply allowing outgoing traffic.
Your rules would be:
scrub in on $ext_if fragment reassemble
block in on $ext_if
pass out on $ext_if from $int_if:network to any

If that works, then your problem is likely that you're creating 2 states
for one connection causing confusion.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to