On Mon, Nov 18, 2002 at 06:50:12AM -0800, Dan Moinescu wrote: > I was indeed using a Linux box as the NFS client. But > nonetheless, this means that if some Linux router or > server out there decides to fragment a packet going to > my OpenBSD box, that network connection will be > corrupted, is that true?
Linux' NFS behavior has been the topic of previous discussion, please see the linux-nfs mailing list archive for details: http://marc.theaimsgroup.com/?l=linux-nfs The bottom line, so far, is that they think using DF is a good idea, whereas we think it's not. If you want such connections to pass through a pf firewall, you have to disable scrubbing for them. You can enable scrubbing in general and exclude specific protocols/ports using 'no scrub ...'. Without packet reassembly done by scrub, however, you won't be able to filter these connection statefully nor translate them (NAT). Basically, translations require stateful filtering, which requires reassembled packets, which requires scrub, which drops fragmented packets with DF set. You can remove the DF check, if you want to give in to Linux' point of view regarding this matter, but we won't change pf's default behavior based on the discussions so far. Daniel
