From owner-freebsd-security Sun Sep 17 12:48:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 74FD137B422 for ; Sun, 17 Sep 2000 12:48:17 -0700 (PDT) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id MAA25458 for ; Sun, 17 Sep 2000 12:48:12 -0700 Date: Sun, 17 Sep 2000 12:48:11 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: MTU Path Discovery + ipfw/natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, I have a question on why something works. Suppose I have a private net that a BSD box is masquarading for like this: ROUTER ----------- FreeBSD Box --------- Private Net 192.168.0.0/24 let's suppose the BSD box is masquarading through a public ip of 209.52.173.1. My question has to do with MTU Path Discovery. Suppose a computer 192.168.0.1 sends a packet with the don't fragment bit set. This packet's source address get's changed to 209.52.173.1 and sent to the next-hop (in this example the router). Now let's say the router can't handle the size of the packet and since it is not allowed to fragment, it tries to send a icmp 3.4 message (Fragmentation needed but DF bit set). Well the router will send that ICMP message to 209.52.173.1 and 192.168.0.1 would never receive it. I've never had any problems with ipfw/natd but was curious why this scenario doesn't seem to happen. Can anyone fill me in? Thanks, John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message