Hi Using OpenBSD as a firewall and NAT box, OpenBSD 4.2:
I have this rule: 'scrub in all max-mss 1400' When when two peers on opposite sides of this firewall attempt to connect, a TCP SYN packet passes in from peer-1 though one interface, with it's MSS field set to 1360, through a bi-nat rule and the above scrub rule, and exits another interface, and onwards to peer-2, it's MSS field value having been raised to 1400. (This effect observed using tcpdump on both interfaces at the same time) This causes problems, as the packets returned from the peer-2 are often too big for peer-1 to handle. Is the raising of the MSS field value expected behaviour? The man page and FAQ, and the option name itself, indicated the max-mss value should set an upper limit, not an absolute value. So what am I doing wrong? How do I use max-mss to set an upper limut, rather than an absolute value? Cheers Richard
