|
Roberto Nibali wrote:
>>>> iptables -I OUTPUT -p tcp --tcp-flags SYN,RST,ACK SYN,ACK -j
>>>> TCPMSS --clamp-mss-to-pmtu
>>
>> All,
>>
>> is there any possibility, even the slightest, that the change above
>> could cause corruption in emails (with e.g. Word or PDF attachments)
>> ?
>
> Yes, there's always a chance. You check for SYN/ACK flags and clamp
> mss there, probably killing fragmented packets (which could be
> generated with such things like Word or PDF attachments). I would need
> to take a deeper look at what you've created this time :).
OK, slight change - I'm now using the following on the real servers:
iptables -I OUTPUT -s 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN
-j TCPMSS --set-mss 1440
Any way that this would cause corruption of an email? (the 10.0.0.0/8
network is only used by my IPIP tunnels). The MSS negotiation happens
at session setup, so ....
/Per Jessen, Zürich
|
