On Nov 8, 2009, at 11:32 PM, Cor wrote:
I changed the following rule:
match in all scrub (reassemble tcp no-df random-id)
to
match in all scrub (no-df random-id)
and then www.isa.org came up as normal. (This latter match
incantation may be useless, or otherwise not make sense; I just
removed "reassemble tcp" as an experiment.)
This of course could just be coincidence, Internet problems, etc.
so I just wanted to ask if anyone else was experiencing this. I
suspect the answer will be that this should work fine, is the way
things should be, and these web sites are errant somehow, and that's
OK, but I wanted to make sure.
I've had "reassemble tcp" commented out in my pf config for years,
with a note attached that says "causes problems with certain web
servers -- connections appear to hang".
So yes, we've experienced this in the past as well. I always assumed
it was misbehaving hosts causing the problem, but I don't have any
control over those hosts so I ended up just commenting out the line.
Jason
--
Jason Healy | jhe...@logn.net | http://www.logn.net/
