[ previous ] [ next ] [ threads ]
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] logs from m0n0wall
 Date:  Tue, 09 Jun 2009 15:50:30 +0200

Lyle Giese skrev:
> Having just started using m0nowall in production, I am not used to it's logging yet.  Here are two
entries that I am not used to seeing:
> Jun  8 00:12:24 linuxgw ipmon[89]: 00:12:23.747547 ng0 @0:15 b -> PR
udp len 20 (792) (frag 5152:772@1480) IN
> Jun  8 00:12:24 linuxgw ipmon[89]: 00:12:23.759113 ng0 @0:15 b -> PR
udp len 20 (792) (frag 5153:772@1480) IN

I see that you use ng0 as the wan interface. I presume you are using pppoe and 
therefor have a smaller MTU then 1500.
> Are these because they are fragments? seems to be a legit server run by ARIN, so I
would doubt it would be doing things that are malicious in nature.  I just don't have a good
understanding of these yet.

The arin server is sending 1500 packets and your ISP has to fragment the packets 
to fit your MTU of "1480" or something.

The default setting on m0n0wall is to block fragmented packets and thats what 
you see in your log.

The MTU discovery it not working and there is nothing you can do about it.

Turn off the blocking on the m0n0wall to allow fragments (look in rules - lan - 
default lan rule)or lower the MTU size on the windows machine. Or change ISP to 
run a pure ethernet connection to have your full 1500 MTU.