Daniel Melameth <daniel () melameth ! com> > What have you tried? MSS probably incorrectly. I had a 4.9 install I think with a lot of rules but I've started from scratch with 5.1 over the weekend and I think I've got it now.
> TCP negotiates MSS so a TCP session will never have an MSS higher than > what one side can accept. Thanks. That makes sense. Interestingly this is the exact setup that ran with the previous ISP so presumably they handled all that within their network and passed on packets somewhat smaller than 1500 to me. I never had to reassemble packets or scrub them or negotiate size. > There is no default block of ICMP. As a matter of fact, unlike some > other poor firewall implementations that break PMTU (and this might be > what you are experiencing with some hosts), you cannot configure pf to > block ICMP for an existing state. Thanks. I was thinking of ICMP from internal clients which is obviously a different matter. Best wishes.
