On Tue, Nov 12, 2002 at 03:37:01PM -0300, Alejandro G. Belluscio wrote: > I've notice a total lack of OpenBSD solutions.
I'm not sure what 'solutions' you expect. If your peer is sending you packets with DF set that are too large to pass the intermediate hops but doesn't get (or ignores) the resulting ICMP error messages and keeps retransmitting the oversized packet, there's nothing you can do on your end. There's no difference between clients and servers here, the situation is symmetric with two peers. You can use 'max-mss' to clamp the mss on your gateway, if you like. But the problem can really only be solved by the peer, which is the point of the article you refer to. pf itself does automatically pass ICMP errors that refer to statefully filtered connections, so it doesn't contribute to the problem. You'd have to explain how you expect it to solve the peer's problem, though. Daniel
