Lyle Giese skrev:
> Having just started using m0nowall in production, I am not used to it's logging yet. Here are two
entries that I am not used to seeing:
> Jun 8 00:12:24 linuxgw ipmon: 00:12:23.747547 ng0 @0:15 b 184.108.40.206 -> 220.127.116.11 PR
udp len 20 (792) (frag 5152:772@1480) IN
> Jun 8 00:12:24 linuxgw ipmon: 00:12:23.759113 ng0 @0:15 b 18.104.22.168 -> 22.214.171.124 PR
udp len 20 (792) (frag 5153:772@1480) IN
I see that you use ng0 as the wan interface. I presume you are using pppoe and
therefor have a smaller MTU then 1500.
> Are these because they are fragments? 126.96.36.199 seems to be a legit server run by ARIN, so I
would doubt it would be doing things that are malicious in nature. I just don't have a good
understanding of these yet.
The arin server is sending 1500 packets and your ISP has to fragment the packets
to fit your MTU of "1480" or something.
The default setting on m0n0wall is to block fragmented packets and thats what
you see in your log.
The MTU discovery it not working and there is nothing you can do about it.
Turn off the blocking on the m0n0wall to allow fragments (look in rules - lan -
default lan rule)or lower the MTU size on the windows machine. Or change ISP to
run a pure ethernet connection to have your full 1500 MTU.