DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd January 2019
apfelgluck apfelgluck is offline
Port Guard
 
Join Date: Sep 2016
Location: France
Posts: 14
Default [pf] MTU question

Hello,


I have questions about this line I see on this site.

Code:
match all scrub (no-df max-mss 1440)
What is the use of this rule if we allow with pf the discovery of the MTU by the hosts with a rule like :

Code:
pass inet proto icmp all icmp-type { echoreq, unreach } from $LAN to any
With the above rule, the hosts are supposed to discover the MTU by themselve and to adapt to it.
Correct ?

So why forcing the PTU at an arbitrary value ?
Reply With Quote
  #2   (View Single Post)  
Old 3rd January 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

As I perceive it, these are two different provisioning recommendations.
  • Path MTU Discovery permits an endpoint to find an optimum MTU for a route.
  • The scrub instruction directs PF to conduct incoming packet normalization.
If you don't get better clarity from someone here, try asking Peter directly. He's open to receiving clarifying questions about his tutorial.
Reply With Quote
  #3   (View Single Post)  
Old 3rd January 2019
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

I'm not sure exactly where you're looking but in the "scrub" section, the rule is
Code:
match *in* all scrub...
You're limiting the MTU of incoming packages while your second rule is allowing outgoing connections to find the maximum MTU size.
Reply With Quote
Reply

Tags
pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF question bug0r OpenBSD Security 7 23rd November 2009 03:54 PM
external drive partition question + fdisk question gosha OpenBSD General 15 15th June 2009 02:00 PM
DR-DOS question RJPugh Other OS 4 31st May 2009 11:10 AM
Question about Mac OS X SLA nfries88 Other BSD and UNIX/UNIX-like 9 1st January 2009 09:05 PM
Question about DNS. bigb89 FreeBSD General 10 22nd May 2008 06:08 AM


All times are GMT. The time now is 09:50 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick