On 2012/05/14 21:14, Bruce Cran wrote:
> The PF example at http://www.openbsd.org/faq/pf/example1.html should
> add unreach to the icmp types, otherwise path mtu discovery won't
> work.
Thanks for the feedback but this is not necessary, PF state tracking
automatically includes ICMP packets relevant to that state. See the
STATEFUL FILTERING section of pf.conf(5):
Furthermore, correct handling of ICMP error messages is critical to many
protocols, particularly TCP. pf(4) matches ICMP error messages to the
correct connection, checks them against connection parameters, and passes
them if appropriate. For example if an ICMP source quench message
referring to a stateful TCP connection arrives, it will be matched to the
state and get passed.
