On 6/25/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 6/24/05, • • <googl3meister at gmail dot com> wrote:
> > Ticking the allow fragments box should resolve the connection issues.
> > However, it's really only a part of the solution, since the remote
> > side may have been sending you ICMP type 3 code 4 but m0n0 was
> > blocking these.
> It shouldn't be. If I understand correctly how IPFilter works, it
> will accept certain ICMP types in relation to an active session, so
> stuff like path MTU discovery (PMTUD) works. If anybody knows more
> definitively, please fill us in. It also has MSS clamping of some
> sort, which assists here in some fashion (again, not intricately
> familiar with how it works within IPF).
> Now with that said, there are certainly some issues with PMTUD under
> certain circumstances. I believe IPsec is one of those (if not the
> only), given the number of problems with large packets causing dropped
> connections that crop up (though I've never been able to replicate
> them myself in a real world environment, and haven't spent much time
> experimenting with it). It doesn't have anything to do with firewall
> rules though, as far as I can tell.
You are correct - googling turns up this from the IPFilter FAQ (I
should have just read the fine manual to begin with... :)
"Keep state will also allow ICMP packets related to a TCP or UDP
session through. So if you get ICMP type 3 code 4 in response to some
websurfing allowed out by a keep state rule, they will be
automatically allowed in. Any packet that IPF can be certain is part
of a connection, even if it's a different protocol, will be let in."
More details here http://www.phildev.net/solaris/mss.html where he
discusses the fragmentation problem in detail, which bolsters what I
first thought re: fragments being blocked leading to seemingly hung