Date: Thu, 3 Dec 1998 13:45:15 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: Reinier.Bezuidenhout@KryptoKom.DE (Reinier Bezuidenhout) Cc: nate@mt.sri.com, ru@ucb.crimea.ua, rivers@dignus.com, eischen@vigrid.com, dillon@apollo.backplane.com, hackers@FreeBSD.ORG, luigi@labinfo.iet.unipi.it Subject: Re: TCP bug Message-ID: <199812032145.NAA14072@bubba.whistle.com> In-Reply-To: <199812030736.IAA06479@borg.kryptokom.de> from Reinier Bezuidenhout at "Dec 3, 98 08:36:56 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Reinier Bezuidenhout writes: > I've missed some of the discussion, so if this is totally in the wrong > direction .. :) > > We had a similar problem once when we had a 2.2.6 version of FreeBSD > running and a ppp line connection and from there a ethernet going > out to an ISP. The symptoms were that some sites on the internet would be > reachable and others not. (We had ipfw running on the FreeBSD machine). > > After adding a "deny log all from any to any" just before the default > rule, we saw that fragmented packets were alse being tested against > the firewall rules would thus fail because of weird port numbers. > > We changed the MTU on the ppp line ( mmmm now I'm not sure if it was > ppp or slip :/ ) to 1500 and then everything worked fine. > > I seem to remember a commit for ipfw that fixed this problem but > I'm not sure. Yes, ipfw used to try to match port numbers and TCP flags against fragments. This bug was fixed in 2.2.6. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812032145.NAA14072>