On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> Daniel, do you spot anything strange with these skip steps (or otherwise)?
The problem is the lack of IP reassembly in this configuration.
In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is skipped.
Generally, stateful filtering _requires_ IP reassembly. As long as no
fragmentation occurs, it works even without reassembly. I suspect your
UDP NFS traffic is fragmented.
Try adding
scrub in on $if all fragment reassemble
at the top.
Daniel
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
