From owner-freebsd-hackers  Thu Dec  3 13:50:43 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA28782
          for freebsd-hackers-outgoing; Thu, 3 Dec 1998 13:50:43 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28777
          for <hackers@FreeBSD.ORG>; Thu, 3 Dec 1998 13:50:41 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA17730; Thu, 3 Dec 1998 13:45:37 -0800 (PST)
Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0)
	id xma017724; Thu, 3 Dec 98 13:45:17 -0800
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id NAA14072; Thu, 3 Dec 1998 13:45:15 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199812032145.NAA14072@bubba.whistle.com>
Subject: Re: TCP bug
In-Reply-To: <199812030736.IAA06479@borg.kryptokom.de> from Reinier Bezuidenhout at "Dec 3, 98 08:36:56 am"
To: Reinier.Bezuidenhout@KryptoKom.DE (Reinier Bezuidenhout)
Date: Thu, 3 Dec 1998 13:45:15 -0800 (PST)
Cc: nate@mt.sri.com, ru@ucb.crimea.ua, rivers@dignus.com, eischen@vigrid.com,
        dillon@apollo.backplane.com, hackers@FreeBSD.ORG,
        luigi@labinfo.iet.unipi.it
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Reinier Bezuidenhout writes:
> I've missed some of the discussion, so if this is totally in the wrong
> direction .. :)
> 
> We had a similar problem once when we had a 2.2.6 version of FreeBSD
> running and a ppp line connection and from there a ethernet going
> out to an ISP.  The symptoms were that some sites on the internet would be
> reachable and others not. (We had ipfw running on the FreeBSD machine).
> 
> After adding a "deny log all from any to any" just before the default
> rule, we saw that fragmented packets were alse being tested against
> the firewall rules would thus fail because of weird port numbers.
> 
> We changed the MTU on the ppp line ( mmmm now I'm not sure if it was
> ppp or slip :/ ) to 1500 and then everything worked fine.
> 
> I seem to remember a commit for ipfw that fixed this problem but
> I'm not sure.

Yes, ipfw used to try to match port numbers and TCP flags against
fragments. This bug was fixed in 2.2.6.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message