Re: PF Burst & Windows Client

["Alex Kirk" <alex@schnarff.com>]

Christoph, 

Been having lots of fun with this one. It looks like your comment about the 
DF flag is probably right on the mark. However... 

> I am not sure if pf in 3.0 is already able to scrub the DF flag, but otherwise
> you could also reduce the mtu on your external if (untested, just guess).. 
> 

A "man pf.conf" tells me all about scrubbing, and I set up my /etc/pf.conf 
to scrub outbound packets from the Windows box: 

NoRouteForYou="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" 

# Disallow all illegal (i.e. spoofed) packets
block in log quick on rl0 from $NoRouteForYou to any
block out log quick on rl0 from any to $NoRouteForYou 

# Kill Don't Fragment flag on Windows Packets
scrub out on rl0 from 192.168.2.2/32 to any 

# pass all packets in and out (these are the implicit last two rules)
scrub in all
#pass out all 

However, when running tcpdump, I still see (DF) at the end of every packet. 
Of course, since I haven't done much with pf besides the basics, I could be 
misinterpreting things here...but that looks like the scrub command isn't 
working. 

Any thoughts on how to ensure that I'm rid of that flag? 

Also, where exactly would I set up my mtu information for config at 
boot-time -- /etc/hostname.rl0? 

Thanks for your help. 

Alex Kirk