From owner-freebsd-questions  Mon Oct 21 11:18:51 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6BF3337B401
	for <freebsd-questions@freebsd.org>; Mon, 21 Oct 2002 11:18:50 -0700 (PDT)
Received: from spin.web.net (spin.web.net [192.139.37.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E21A343E88
	for <freebsd-questions@freebsd.org>; Mon, 21 Oct 2002 11:18:49 -0700 (PDT)
	(envelope-from rob@web.net)
Received: by spin.web.net (Postfix, from userid 1000)
	id E741D12E401; Mon, 21 Oct 2002 14:18:30 -0400 (EDT)
Date: Mon, 21 Oct 2002 14:18:30 -0400
From: Rob Ellis <rob@web.ca>
To: freebsd-questions@freebsd.org
Subject: ipfw: ping and icmp fragments
Message-ID: <20021021181830.GE39892@web.ca>
Mail-Followup-To: Rob Ellis <rob@web.ca>,
	freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

i have a question about ipfw and how it handles fragments.

i'm running 4.5-RELEASE-p7 on the firewall, and
have rules that allow pings to one of the machines 
on the inside, and pings do work to that machine.

however, they don't work if i do 'ping -s NNNN' where
NNNN is anything greater than 1464 (which forces the
packet to fragment)...

looking at tcpdump for the outside interface, i can
see the request coming in:

  123.123.123.231 > 234.234.234.12: icmp: echo request (frag 2599:1472@0+)
  123.123.123.231 > 234.234.234.12: (frag 2599:36@1472)

but listening on the inside interface, only the fragment
gets through:

  123.456.789.123 > 234.234.234.12: (frag 2652:36@1472)

since a ping with a packet size less than 1465 works fine
(no fragmentation), why does the packet get blocked if it's
the first fragment??

what happens to the first fragmented packet of tcp connections?
how can i test that?

thanks.

- rob

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message