Hi all, I am having big trouble with a pptp tunnel from a home network to work. I need to prevent large frames coming back through the tunnel. For years I used this in the firewall/nat iptables setup: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100 but something, (upgrading F7 to F9, I think) has stopped it working. I have been trying lots of examples of the WWW and have no luck. Does anyone know what changed - or even which table I should be applying this to? Also, it is hard to debug as wireshark does not receive the large frame which brings down the tunnel. Is there an easy way to generate arbitrary sized frames? Thanks for any help. Ps: My rules:. Rather guessed at... [root@base sbin]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpts:spr-itunes:1023 DROP udp -- anywhere anywhere udp dpts:0:1023 Chain FORWARD (policy DROP) target prot opt source destination DROP all -- anywhere 168.254.0.0/16 ACCEPT all -- 168.254.0.0/16 anywhere ACCEPT all -- anywhere 168.254.0.0/16 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination