Hello Community,
Consider the following scrub rule:
The pf.conf man pages says that some operating systems fragment outgoing packets, but still set the don’t-fragment bit, as is the case with NFS. By default PF drops packets with the don't-fragment bit set. The solution is to add the
But what about packets that are not fragmented, and have the dont-fragment bit set? Would the
Consider the following scrub rule:
Code:
scrub in on $ext_if all fragment reassemble no-df random-id min-ttl 64 max-mss 1440
The pf.conf man pages says that some operating systems fragment outgoing packets, but still set the don’t-fragment bit, as is the case with NFS. By default PF drops packets with the don't-fragment bit set. The solution is to add the
no-df
option to the scrub rule, which clears the dont-fragment bit, allowing these packets to pass.But what about packets that are not fragmented, and have the dont-fragment bit set? Would the
no-df
option allow those large packets to enter the system? Or will the receiving host (the router) examine the size of the packet and fragment it according to the max-mss
, which is also specified in the scrub rule?