Le lundi 26 février 2007 à 16:34 +0100, Pascal Hambourg a écrit : > TCPMSS works only on TCP packets with the SYN flag set, so the options > "-p tcp --tcp-flags SYN,RST SYN" are required. Indeed. > Also, wouldn't it be useful to do it in both directions to avoid > fragmentation if host (b) does not use path MTU discovery ? No, because you don't want to clamp inbound traffic to your MTU, but to your peer MTU. It's your peer job to advertise correctly its own MSS. Now, if you look more closely, you'll see you clamp MSS against destination PMTU. As PMTU from your firewall to your server is most probably ethernet MTU, you will clamp it to 1500. So, if your peer advertise 1452 as MSS, you will overwrite it to a higher value of 1460 and break everything. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
