Fragged packets allowed in from LAN:
@6 pass in quick from 10.0.0.0/8 to any \
keep state keep frags group 100
Fragged packets allowed in from WAN:
@1 pass in log quick from any to any \
keep state keep frags group 200
Return packets blocked from www.netbsd.org (220.127.116.11):
Sep 7 08:52:36 bl0ck ipmon: \
08:52:35.742487 ng0 @0:16 b 18.104.22.168 -> 22.214.171.124 \
PR tcp len 20 (1476) frag 1456@24 IN
This is really buggin. And www.netbsd.org continues to be the
only site we have this trouble with.
WAN is set up with PPPoE, an adsl connection.
Thank you for all help, suggestions.
On Tue, 7 Sep 2004 08:31:19 -0300
Roberto Pereyra <rjpereyra at gualeguaychu dot gov dot ar> wrote:
> Allow fragmented packets in the LAN interface.
> Please tell us if works.
> On Mon, Sep 06, 2004 at 04:19:35PM -0700, Wayne Marshall wrote:
> > I put up m0n0wall 1.1 on soekris net4801. Now I am unable to
> > browse the netbsd.org site for some reason; I have not yet
> > encountered any problems with any other site.
> > Tried all of dillo, mozilla, firefox, lynx browsers from both
> > OpenBSD (3.5) and FreeBSD (5.2) client workstations.
> > The netbsd.org site is not down; I've accessed it from other
> > hosts outside the m0n0wall.
> > In the logs, return tcp traffic comes back from netbsd.org,
> > but without port address, and is blocked by default rule. I
> > then add rules to accept fragged packets; full reboot to
> > reset states; still no go.
> > Any clues that can help out here?
> > Wayne
> > --
> > Wayne Marshall
> > wcm at guinix dot com