Date: Mon, 21 Oct 2002 14:18:30 -0400 From: Rob Ellis <rob@web.ca> To: freebsd-questions@freebsd.org Subject: ipfw: ping and icmp fragments Message-ID: <20021021181830.GE39892@web.ca>
next in thread | raw e-mail | index | archive | help
i have a question about ipfw and how it handles fragments. i'm running 4.5-RELEASE-p7 on the firewall, and have rules that allow pings to one of the machines on the inside, and pings do work to that machine. however, they don't work if i do 'ping -s NNNN' where NNNN is anything greater than 1464 (which forces the packet to fragment)... looking at tcpdump for the outside interface, i can see the request coming in: 123.123.123.231 > 234.234.234.12: icmp: echo request (frag 2599:1472@0+) 123.123.123.231 > 234.234.234.12: (frag 2599:36@1472) but listening on the inside interface, only the fragment gets through: 123.456.789.123 > 234.234.234.12: (frag 2652:36@1472) since a ping with a packet size less than 1465 works fine (no fragmentation), why does the packet get blocked if it's the first fragment?? what happens to the first fragmented packet of tcp connections? how can i test that? thanks. - rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021021181830.GE39892>