From owner-freebsd-ipfw Tue May 28 13:26:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from atro.pine.nl (atro.pine.nl [213.156.0.2]) by hub.freebsd.org (Postfix) with ESMTP id D516237B400 for ; Tue, 28 May 2002 13:26:23 -0700 (PDT) Received: by atro.pine.nl (Pine Internet Secure Mailer, from userid 65536) id 28F2C11D001; Tue, 28 May 2002 22:26:21 +0200 (MET DST) Date: Tue, 28 May 2002 22:26:21 +0200 From: Patrick Oonk To: Dizzy Cc: ipfw@freebsd.org Subject: Re: problem with ipfw Message-ID: <20020528202620.GF25381@pine.nl> Reply-To: patrick@pine.nl References: <20020524213523.M34448@dizzy-online.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020524213523.M34448@dizzy-online.org> User-Agent: Mutt/1.3.25i X-Organization: Pine Internet B.V. X-GSM: +31-6-24209907 X-message: secretary plugged hairdryer into UPS X-Zen: Ommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm X-Coordinates: 52 04 43N - 4 17 27W X-NCC-RegID: nl.pine X-PGP-Fingerprint: DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934 X-PGP-KeyID: 155C3934 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, May 24, 2002 at 09:35:23PM +0900, Dizzy wrote: > hi, > > I run FreeBSD : > FreeBSD tao.dizzy-online.org 4.5-RELEASE FreeBSD 4.5-RELEASE #2: Thu Mar 14 > 21:40:45 GMT 2002 ***:/usr/src/sys/compile/TAO i386 > > > My configuration is : > > 01000 allow ip from 192.0.1.0/24 to 192.0.1.0/24 > 39999 allow tcp from any to me 80 > 40001 allow tcp from any to me 443 > 40009 pipe 1 tcp from me 80 to any limit dst-addr 1 > 40011 allow tcp from me 443 to any > 64999 allow ip from me to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > I want to limit bandwidth and number of connection on my web site. > But sometime and from some domain, my website is not accessible. > It seems depend on download size but not sure. > > Any idea ? > Is my config good ? There are two solutions to this problem: A) Allow ICMP type 3 code 4 messages to reach the webserver B) Turn off Path MTU Discovery on the web server Solution A enables your webserver to use the right MSS, and does not pose a security threat, see http://rr.sans.org/threats/ICMP.php Solution B will allow the ISP router to fragment the packets. Solution A is highly prefered as fragmentation will lead to poorer performance. For more information, and an explanation of terms and abreviations read: ftp://ftp.isi.edu/in-notes/rfc2923.txt http://www.worldgate.com/~marcs/mtu/ http://home.earthlink.net/~jaymzh666/solaris/mss/ -- patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ Excuse of the day: Fatal error right in front of screen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message