From owner-freebsd-security Fri Dec 8 0:10:43 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 8 00:10:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 84F7237B400 for ; Fri, 8 Dec 2000 00:10:41 -0800 (PST) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id AAA28031 for ; Fri, 8 Dec 2000 00:10:40 -0800 Date: Fri, 8 Dec 2000 00:10:40 -0800 (PST) From: John F Cuzzola To: security@freebsd.org Subject: pipsecd+ipfw fwd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I'm using pipsecd from the ports collection and it seems to do the job (for my purposes anyway). I've noticed however that when configuring the tunnel device the author recommends a MTU of 1440. Recently I added a firewall rule like: ipfw add fwd ip from to any to force the next hop through the tunnel. Well it didn't work, it did for small amounts of data but not larger ones which lead me to suspect a path MTU discovery problem. I reconfigured the tunnel device for a MTU of 1500 and it works great. My question is when using ipfw fwd what happens if the size of the packet exceeds the MTU of the device? When IPFW FWDing does ICMP 3.4 messages get sent back for large packets whos dont fragment bit is set? or does that packet just get dropped? It would appear the icmp 3.4 message doesn't get sent back but that could be because of the pipsecd port. Kindof curious & thanks, John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message