[ previous ] [ next ] [ threads ]
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPPoE - MTU Problem
 Date:  Sat, 25 Jun 2005 09:31:40 +1000
On 6/25/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 6/24/05,   <googl3meister at gmail dot com> wrote:
> >
> > Ticking the allow fragments box should resolve the connection issues.
> > However, it's really only a part of the solution, since the remote
> > side may have been sending you ICMP type 3 code 4 but m0n0 was
> > blocking these.
> >
> It shouldn't be.  If I understand correctly how IPFilter works, it
> will accept certain ICMP types in relation to an active session, so
> stuff like path MTU discovery (PMTUD) works.  If anybody knows more
> definitively, please fill us in.  It also has MSS clamping of some
> sort, which assists here in some fashion (again, not intricately
> familiar with how it works within IPF).
> Now with that said, there are certainly some issues with PMTUD under
> certain circumstances.  I believe IPsec is one of those (if not the
> only), given the number of problems with large packets causing dropped
> connections that crop up (though I've never been able to replicate
> them myself in a real world environment, and haven't spent much time
> experimenting with it).  It doesn't have anything to do with firewall
> rules though, as far as I can tell.
> -Chris

You are correct - googling turns up this from the IPFilter FAQ (I
should have just read the fine manual to begin with... :)

"Keep state will also allow ICMP packets related to a TCP or UDP
session through. So if you get ICMP type 3 code 4 in response to some
websurfing allowed out by a keep state rule, they will be
automatically allowed in. Any packet that IPF can be certain is part
of a connection, even if it's a different protocol, will be let in."
(source: http://www.phildev.net/ipf/IPFques.html)

More details here http://www.phildev.net/solaris/mss.html where he
discusses the fragmentation problem in detail, which bolsters what I
first thought re: fragments being blocked leading to seemingly hung