Todd T. Fries <[EMAIL PROTECTED]> wrote: > but .. the bottom line is, 'pf' only has support for reassembling > IPv4 fragments, not IPv6. And yes, this renderes a stateful filtering > firewall mostly moot until this is fixed for IPv6, to be clear.
If you can get by with TCP... > Theory suggests that PMTUD should handle things such that fragments do not > appear, but encapsulation and tunneling via IPSec tend to generate them > anyway.. ... you can use MSS clamping: # IPv6+ESP(AES,SHA)+IPv6+TCP scrub on enc0 inet6 all max-mss 1362 -- Christian "naddy" Weisgerber [EMAIL PROTECTED]