Date: Tue, 28 May 2002 22:26:21 +0200 From: Patrick Oonk <patrick@pine.nl> To: Dizzy <guest@dizzy-online.org> Cc: ipfw@freebsd.org Subject: Re: problem with ipfw Message-ID: <20020528202620.GF25381@pine.nl> In-Reply-To: <20020524213523.M34448@dizzy-online.org> References: <20020524213523.M34448@dizzy-online.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 24, 2002 at 09:35:23PM +0900, Dizzy wrote: > hi, > > I run FreeBSD : > FreeBSD tao.dizzy-online.org 4.5-RELEASE FreeBSD 4.5-RELEASE #2: Thu Mar 14 > 21:40:45 GMT 2002 ***:/usr/src/sys/compile/TAO i386 > > > My configuration is : > > 01000 allow ip from 192.0.1.0/24 to 192.0.1.0/24 > 39999 allow tcp from any to me 80 > 40001 allow tcp from any to me 443 > 40009 pipe 1 tcp from me 80 to any limit dst-addr 1 > 40011 allow tcp from me 443 to any > 64999 allow ip from me to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > I want to limit bandwidth and number of connection on my web site. > But sometime and from some domain, my website is not accessible. > It seems depend on download size but not sure. > > Any idea ? > Is my config good ? There are two solutions to this problem: A) Allow ICMP type 3 code 4 messages to reach the webserver B) Turn off Path MTU Discovery on the web server Solution A enables your webserver to use the right MSS, and does not pose a security threat, see http://rr.sans.org/threats/ICMP.php Solution B will allow the ISP router to fragment the packets. Solution A is highly prefered as fragmentation will lead to poorer performance. For more information, and an explanation of terms and abreviations read: ftp://ftp.isi.edu/in-notes/rfc2923.txt http://www.worldgate.com/~marcs/mtu/ http://home.earthlink.net/~jaymzh666/solaris/mss/ -- patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ Excuse of the day: Fatal error right in front of screen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020528202620.GF25381>