On Friday, 2004-12-24 at 11:42:53 +1100, Peter J. Cherny wrote: > Those who must interpose IPF on paths that use NFS over media > that doesn't support large frames, should change r/wsize or force > the use of TCP.
An especially useful idea when IKE packets get too large for the maximum fragment size. > Adding complexity, longer code paths and/or memory consumption > to IPF in not in the interest of the general IPF user community. > (another user survey required <g>) Having IPF throw away the third IKE packet in a negotiation and causing endless searches for the cause is? > I'm REALLY tired people trying to turn IPF into a network-stack, > content-filter and kitchen sink, rather than being just a > very good packet filter. Having IPfilter support only a part of the useful protocols is what you want? I'd rather have a more complex but complete tool. I finally found a way to reduce the size of the IKE packet, but at the price of omitting the server certificate. This weakens the security a little. Weakening security to accomodate a deficiency is not desirable. I'm in favor of having limited reassembly by setting a maximum buffer size and the maximum buffer space allocated to reassembly. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |
