On Nov 7, 2008, at 2:40 AM, Stuart Henderson wrote:
On 2008-11-06, Johan Strvm <[EMAIL PROTECTED]> wrote:
Anyone know how common this problem with blocked ICMP packets is?
Idiot firewall and router admins do it the world over.
If you can work out who's filtering ICMP, you can attempt to apply
a LART, but experience shows this is rarely successful :(
Yeah, I guess that would be an never-ending task...
PF scrub (max-mss, maybe no-df) can be a useful tool here...
Is there any side effects to remove the no-df bit on all packets?
A quick readup tells me I should use random-id to make sure no zero ip-
id packets gets through, but I also saw somewhere this only works on
outgoing packets (no reference in pf.conf though?).
So should I have something like this?
scrub in on $ext_if no-df
scrub out on $int_vlan1 random-id
scrub out on $int_vlan2 random-id
scrub out on $int_vlan3 random-id
I guess
scrub out on $ext_if random-id
would be nice too, in order to "hide" my hosts (host counting etc)
Or shall i use random-id on the scrub in rule?
Back to the vlan/em thingy, if I use a vlan direct on top of the em
interface (without trunk) I actually get a 1500b MTU (thanks Johan
Fredin!)..
This would indicate that the em interface actually supports oversized
MTU frames, but not through a trunk?
Can anyone shed some light on this?
Thanks!
