[ previous ] [ next ] [ threads ]
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Monowall 1.2B9 ICMP
 Date:  Tue, 6 Sep 2005 09:44:08 +0100

I have noticed some odd behaviour with ICMP and 1.2B9 that I don't fully understand. It seems that
the handling of fragmented ICMP packets (in particular I've been testing pings) is inconsistent.

If I ping the LAN address of the monowall (e.g. ping -l 1500)  get no response. If I ping the WAN
address I do get a response. With 1.2B3 I was able to ping the LAN address with whatever size ping
packet I tried.

From the LAN, if I ping a host on the Internet (that responds OK from other hosts) I sometimes get a
response, but more normally I get a drop in the monowall's log:

Sep  6 09:26:41 firewall-hv ipmon[87]: 09:26:41.071622 fxp1 @200:1 b ->
PR icmp len 20 (48) (frag 20834:28@1480) K-S K-F IN

I also see from previous posts that there has been issue with large ping packets being dropped over
IPSEC VPNs. I tried creating a VPN between the monowall and a Checkpoint NG firewall which actually
works for normal traffic. However, whilst hosts behind the monowall were able to ping hosts behind
the Checkpoint with large pings, the reverse wasn't true.

Any ideas?


Kris Shaw.