From owner-freebsd-questions@FreeBSD.ORG Tue Nov 13 14:23:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AF8316A419 for ; Tue, 13 Nov 2007 14:23:48 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.228]) by mx1.freebsd.org (Postfix) with ESMTP id 2E23E13C4B2 for ; Tue, 13 Nov 2007 14:23:47 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so1100143nzf for ; Tue, 13 Nov 2007 06:23:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:date:from:to:cc:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=qeKix4GJgwkRFZyKDfyk+/sCy2wUlktDlwoC7IGjVpw=; b=T+6kiQPcd1XCSwPEU7YWUbBQ7QFsRsNPG2s8cmjvE7LAu+OVOpi+d/bFI886oq7SKZPjU9RloKw4rMCsrIYaVy2r/u8Vyq2BQaTXY9km4LPCuYJJrXRMozPUWD9d0tvLvLxOeQUSLav5KceCf0NCXBimm+xgHvTGVsZ+s5afKFQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=UeA/xQkV3Z7CK07IbEXjhW48Z+byUcHa2FRMsQUMTxb6EeLK5NhVaB1tk1Dtvm9GH8NC6NZTzLRxcp7j2HKrGC0mE5m30armV+y2fqv/wTO0o9nTlF8il8VRsapoUBO5jj2wb2AvcCmxyuJa7g6ci+xH9H+LrpkqAkAU+XO0mbI= Received: by 10.140.204.7 with SMTP id b7mr2832920rvg.1194963812609; Tue, 13 Nov 2007 06:23:32 -0800 (PST) Received: from saraswathy.susmita.org ( [59.92.29.156]) by mx.google.com with ESMTPS id k2sm13288499rvb.2007.11.13.06.23.30 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 13 Nov 2007 06:23:31 -0800 (PST) Received: by saraswathy.susmita.org (Postfix, from userid 1002) id 42D52143E7; Tue, 13 Nov 2007 19:25:23 +0530 (IST) Date: Tue, 13 Nov 2007 19:25:23 +0530 From: Girish Venkatachalam To: freebsd-questions@freebsd.org Message-ID: <20071113135523.GA13178@saraswathy.susmita.org> Mail-Followup-To: freebsd-questions@freebsd.org, Erik Osterholm References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> <20071113022053.GA17768@saraswathy.susmita.org> <20071113054220.GA74564@aleph.cepheid.org> <20071113132734.GA16728@saraswathy.susmita.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071113132734.GA16728@saraswathy.susmita.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: Erik Osterholm Subject: Re: PF, bridge, states and window scaling problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: girishvenkatachalam@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 14:23:48 -0000 On 18:57:34 Nov 13, Girish Venkatachalam wrote: > I just read the post you linked. Thanks. :) I read the post once again and it looks as though I understood what is mentioned there. The 'no-df' in scrub rule clears the Don't fragment bit in the IP header. When a host wrongly sends fragmented packets with the DF bit set, this scrub rule "correctly" resets the DF bit. Now since the host made the mistake of sending a fragmented packet with DF bit set ( this is like saying " Please don't fragment my packet, but I myself have fragmented". Odd...) no-df scrub rule causes trouble. Scrub never causes trouble with properly formed packets. regards, Girish