Ah, 'no scrub' only prevents the TCP normalizations. IP normalization
still occur (and blocking IP fragments with DF set is an IP
normalization).
You can try the patch below, or alternatively make sure the positive
scrub rules do not include $LAB_NFS_SERVERS, as a workaround, like
scrub in from ! $LAB_NFS_SERVERS to ! $LAB_NFS_SERVERS
scrub out from ! $LAB_NFS_SERVERS to ! $LAB_NFS_SERVERS
Daniel
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.98
diff -u -r1.98 pf_norm.c
--- pf_norm.c 21 May 2005 21:03:57 -0000 1.98
+++ pf_norm.c 21 May 2005 22:41:11 -0000
@@ -849,7 +849,7 @@
break;
}
- if (r == NULL)
+ if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
else
r->packets++;
@@ -1067,7 +1067,7 @@
break;
}
- if (r == NULL)
+ if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
else
r->packets++;
