>>>>> "rm" == Roy Marples <roy%marples.name@localhost> writes: rm> I've attached my current pf.conf As Brian pointed out in this rm> thread, PF does not handle IPv6 fragments That's bad but it's not the problem. There will never be any IPv6 TCP fragments, even with all this nonsense going on. There can be UDP fragments, though. rm> if I drop the MTU on my clients to 1492 then I don't need the rm> scrub mss line. Anyone have an opinion on which would be rm> better? the scrubbing is better. If all hosts on an ethernet do not have the same MTU set, this will cause a second level of brokenness---now you have two broken things instead of one. That scenario's likely because you'll forget, or you'll have test systems or guests or VM's or whatever.
Attachment:
pgpNTcCgPkMgn.pgp
Description: PGP signature