Since Fortigate's are my firewall of choice, I'm wrapping this up with a FGT sample.
Fortigate like iptables/pf based firewalls, let's you adjust tcp-mss per fwpolicy entry. You can adjust mss in either direction ( send | receive )
For the receive direction it would look like the following;
Be advise in all of these examples, ipv6 was not
demostrated nor is it supported. As a matter of fact, on the JuniperSRX and Fortinet FWs, you can't adjust mss within the gui or cmdline for ipv6 tcp traffic. Also ipv6 uses a different approach with mss setting and controls and prefer fragmentation at the client's ends.
And in the above two fwpolicies, you have to configure the fortigate
cmdline only. So get use to editing via " config firewall policy" :)
There you have it, my list of various ways to adjust TCP mss adjustment for traffic.
Ken Felix
Freelance Network/Security Engineer
kfelix ---at---hyperfeed --dot--com
No comments:
Post a Comment