On Wed, March 22, 2006 10:18 pm, Diego Casati wrote: > Hi, > > Im trying to block a Windows XP SP2 with the OSFP support on PF but a > rather odd behavior seems to be happening. Not sure about this. This is > the > only lines that I have on my pf.conf. The thing is, when I take the word > "no-df" from the scrub line it works, what I am missing here? If a take > the > no-df statement it works! > # pf.conf > > ext_if="vr0" > scrub in on $ext_if all no-df > block in on $ext_if from any os "Windows XP SP1" > > reguards, > > > Diego >
my guess would be that 'scrub no-df' clears the df flag on all the incoming packets thus throwing off the matching. windows seems to like df flag a lot. -- nick
