On Tuesday 05 February 2008 07:18:34 Stuart Henderson wrote: > On 2008/02/04 18:12, Richard Green wrote: > > When when two peers on opposite sides of this firewall attempt to > > connect, a TCP SYN packet passes in from peer-1 though one interface, > > with it's MSS field set to 1360, through a bi-nat rule and the above > > scrub rule, and exits another interface, and onwards to peer-2, it's MSS > > field value having been raised to 1400. (This effect observed using > > tcpdump on both interfaces at the same time) > > I can't replicate this with pf/binat/scrub max-mss...think you'll need > some more information to track it down (but I'm not sure what exactly).
Thanks for your responses. After further testing and experimentation, I deduced my problem lay with my use of the 'synproxy' option on subequent filter rules (the mss value is not passed fom peer-1's initial connection, to the proxy's connection to peer-2). Cheers Richard