|
||||||||||
On 6/25/05, Chris Buechler <cbuechler at gmail dot com> wrote: > On 6/24/05, • • <googl3meister at gmail dot com> wrote: > > > > Ticking the allow fragments box should resolve the connection issues. > > However, it's really only a part of the solution, since the remote > > side may have been sending you ICMP type 3 code 4 but m0n0 was > > blocking these. > > > > It shouldn't be. If I understand correctly how IPFilter works, it > will accept certain ICMP types in relation to an active session, so > stuff like path MTU discovery (PMTUD) works. If anybody knows more > definitively, please fill us in. It also has MSS clamping of some > sort, which assists here in some fashion (again, not intricately > familiar with how it works within IPF). > > Now with that said, there are certainly some issues with PMTUD under > certain circumstances. I believe IPsec is one of those (if not the > only), given the number of problems with large packets causing dropped > connections that crop up (though I've never been able to replicate > them myself in a real world environment, and haven't spent much time > experimenting with it). It doesn't have anything to do with firewall > rules though, as far as I can tell. > > -Chris You are correct - googling turns up this from the IPFilter FAQ (I should have just read the fine manual to begin with... :) "Keep state will also allow ICMP packets related to a TCP or UDP session through. So if you get ICMP type 3 code 4 in response to some websurfing allowed out by a keep state rule, they will be automatically allowed in. Any packet that IPF can be certain is part of a connection, even if it's a different protocol, will be let in." (source: http://www.phildev.net/ipf/IPFques.html) More details here http://www.phildev.net/solaris/mss.html where he discusses the fragmentation problem in detail, which bolsters what I first thought re: fragments being blocked leading to seemingly hung connections. --cheers gm |