On 6/24/05, • • <googl3meister at gmail dot com> wrote:
> Ticking the allow fragments box should resolve the connection issues.
> However, it's really only a part of the solution, since the remote
> side may have been sending you ICMP type 3 code 4 but m0n0 was
> blocking these.
It shouldn't be. If I understand correctly how IPFilter works, it
will accept certain ICMP types in relation to an active session, so
stuff like path MTU discovery (PMTUD) works. If anybody knows more
definitively, please fill us in. It also has MSS clamping of some
sort, which assists here in some fashion (again, not intricately
familiar with how it works within IPF).
Now with that said, there are certainly some issues with PMTUD under
certain circumstances. I believe IPsec is one of those (if not the
only), given the number of problems with large packets causing dropped
connections that crop up (though I've never been able to replicate
them myself in a real world environment, and haven't spent much time
experimenting with it). It doesn't have anything to do with firewall
rules though, as far as I can tell.