* Joe Gidi <[email protected]> [2009-04-08 15:21]: > > On 2009-04-07, Dirk Mast <[email protected]> wrote: > >> Dan Carley wrote: > >> > >>> Technically it won't be relayd that is the cause of your woes because > >>> it > >>> is PF will be performing the grunt work of the TCP redirection. > >>> > >>> Based on what Brian said, you may find that playing with 'scrub out' > >>> and > >>> 'max-mss' in your PF rules alleviates the issue. > >> > >> Which will soon be no longer. > > > > so then play with "scrub (max-mss ###)" instead. you can either use > > this on your pass rules, or with the new match rules. > > > > http://www.openbsd.org/faq/current.html#20090406 > > http://marc.info/?m=123901961726016 > > > > this will be hitting snapshots soon. > > So for a very simple example like the one from the PF Guide: > > scrub in > block in > pass out keep state > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > > Would now be: > > block in > pass out keep state > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > match in all scrub > > correct?
that works. match in all scrub block in pass out keep state pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state does to. as does this block in match in all scrub pass out keep state pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state or this block in pass out keep state match in all scrub pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
