[IOML] Dylan you might like this one!
Dylan Smith
dyls at alioth.net
Fri Aug 19 16:57:25 BST 2005
On Fri, 19 Aug 2005, Simon Slaytor wrote:
> scrub in all fragment reassemble no-df
> scrub out all random-id max-mss 1460
I've not used GRE in years, but one thing the Linux FW probably won't be
doing is the above (I don't think iptables has the capability). Not
knowing how GRE state is determined, I'm guessing that something might be
getting screwed up here.
Failing that, not knowing anything about the internals of GRE, I'd
probably start testing with pfctl disabled on fw1 then enable it and begin
adding rules one at a time until it breaks...
Of course, ethereal is your friend in these instances too.
More information about the IOM
mailing list