On 2/4/08, Richard Green <[EMAIL PROTECTED]> wrote: > I have this rule: > > 'scrub in all max-mss 1400' > > When when two peers on opposite sides of this firewall attempt to connect, a > TCP SYN packet passes in from peer-1 though one interface, with it's MSS > field set to 1360, through a bi-nat rule and the above scrub rule, and exits > another interface, and onwards to peer-2, it's MSS field value having been > raised to 1400. (This effect observed using tcpdump on both interfaces at the > same time) > > This causes problems, as the packets returned from the peer-2 are often too > big for peer-1 to handle. > > Is the raising of the MSS field value expected behaviour? > > The man page and FAQ, and the option name itself, indicated the max-mss value > should set an upper limit, not an absolute value. > > So what am I doing wrong? How do I use max-mss to set an upper limut, rather > than an absolute value?
I am uncertain what it is you want to accomplish, but if one host is telling you its max-mss is 1360 and you change this to 1400, you will break connectivity with that host. When two hosts do a TCP handshake, they will use the lower max-mss supported between them. FWIW, if you must change it at all, you should probably only change the max-mss on packets going out of your network/from your hosts.