I've played around a bit more with 1.2B9 to see why fragmented ICMP packets
were being dropped.
1. Large packets sent from the LAN (ping -l 1500) to the Monowall were being
dropped by the web gui anti-lockout rule. Disabling this rule and/or
modifying filter.inc allowed the Monowall to respond to large pings.
2. By modifying filter.inc I was able to make large icmp packets traverse an
IPSEC VPN. I added the 'keep frags' statement to the pass out rules, e.g.
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lanif all keep state keep frags
I have tested this against a Checkpoint VPN and was able to successfully
ping 4096 bytes (+ higher) across the VPN to LAN hosts behind the Monowall.
This is important to me because Windows 2000/XP group policies use large
ping packets to determine link speed. If ping packets get blocked group
policies don't apply properly.
3. I was unable to reliably ping hosts on the Internet from the Monowall LAN
with large ping packets. More often than not the returning packet would get
dropped even though all the outbound rules had the keep frags box checked:
Sep 11 22:07:27 firewall ipmon: 22:07:27.008801 fxp1 @200:1 b
18.104.22.168 -> 192.168.55.10 PR icmp len 20 (48) (frag 58258:28@1480-) K-S
----- Original Message -----
From: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
To: "Chris Buechler" <cbuechler at gmail dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, September 08, 2005 12:57 AM
Subject: Re: [m0n0wall] Monowall 1.2B9 ICMP
> I did a bit more testing.
> Monowall 1.1 responds OK to pings. 1.2B3 works OK but every beta after
> drops fragmented ping packets. I haven't yet tested to see if UDP packets
> are affected.
> The problem does seem to be with IPFilter. I disabled IPF from the
> exec.php page and was able to ping the monowall with large packets again.
> I took a quick look at pfsense and that doesn't seem to drop packets,
> although I don't think it uses IPF?