On Saturday 13 December 2003 01:46, Daniel Hartmeier wrote: > On Sat, Dec 13, 2003 at 01:51:49AM +0200, Toni Riekkinen wrote: > > What is the difference between using "scrub all reassemble tcp" and using > > "modulate state" in incoming traffic rules, i.e for webserver in DMZ: > SNIP > So, these are two different and independant things. You can enable > either of them, both or none. All of this is detailed in pf.conf(5),
The "reassemble tcp" option for scrub is broken. When some clients (say, SuSE 9.0) tries to connect to a Windows server, the client will get a timeout due to "reassemble tcp". This has been on this mailing list several times before. Mike Frantzen has a patch for this (also on the mailing list), but the patch has not made it's way into the patch branch. The patch solved the immediate timeout problem, but for longer connections (about 3 min) I still got some problems. But I think that might be due to bad network connections when I tested it. /Sigfred
