[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Could someone explain this firewall log
 Date:  Sat, 15 Apr 2006 16:49:03 -0400
On 4/15/06, Raylund Lai <raylund dot lai at kankanwoo dot com> wrote:
>
> Here I got one of the logs which when the user at 70.55.224.22 tried to
> access my http service.  The server that holds the http is at
> 192.168.0.21.  I've open port/nat/server-nat/outbound-nat all together
> that were working for about half year.
>
> [X]     16:03:08.498773     WAN     70.55.224.22     192.168.0.21, type
> unreach/needfrag     ICMP
>

That was blocked?  ICMP return traffic from an existing state should
be permitted.  That's a ICMP unreachable, fragmentation needed but DF
bit set message, it appears.  i.e. your server tried to send a packet
larger than some MTU along the path to that client machine.

Try lowering your server's MTU to 1400 and see if the problem still
exists.  Also make sure your m0n0wall's WAN MTU is set correctly for
your connection.

-Chris