Re: Strange MTU Problem

On Mon, 26 May 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <g1e45s$4p7$1@xxxxxxxxxxxxxxx>, Geoff Lane wrote:

Moe Trin wrote:

As the only thing I recalled altering was the MTU changed it back to
1472 and now all fine.

Someplace, there is a firewall that is dropping ICMP Type 3 Code 4
packets ("Fragmentation needed, but don't fragment bit set"). This
could be a mis-guided attempt at security, or a NAT translation that
isn't forwarding the error to the right computer.

I've got an older Vigor 2600 NAT router, on the IP tables I have barred
everything in and out unless I open the ports.

Depends on the routers - mine does not forward stuff by default, so
unless I've added a rule telling the firewall to forward port $FOO
to host $BAR port $BAZ, the firewall responds with an ICMP Type 3 for
the protocol and/or port number. Replies to packets that my system
originated (which are then NAT'ed) are automagically translated and
forwarded. Outbound filtering I don't use, as I don't have windoze
boxes auto-installing malware, and the like. It always makes me laugh
to see the so-called firewalls for windoze always saying that "this
application tried to connect to host $FOO on the Internet - is this OK?"
because the user gets used to this, and blindly clicks the <OK> icon
without understanding.

To date with trial and error, if anything don't work I check the ports
in the router's system log and open that port if I require it. All
normal ports are open.

That's a good plan.

The rules apply to TCP/UDP so I assume ICMP is not affected.

Probably not the case. Does the router know how to forward the ICMP
errors to the correct host on the NAT'ed side?

Is Path MTU Discovery on by default. I have looked at DR TCP and have
tried altering the MTU and saving but it always comes up blank when I
launch the program again.

Depends on how your kernel is compiled, but probably so. Simple
test is to see if the DF flag is set in your outbound packets. A
sniffer shows this readily.

Old guy
.

Relevant Pages

  • Re: Routers Firewall
    ... I ask him do you have a firewall and he says yes. ... I still have an IDS/firewall on all my machines behind the router. ... > to connect to a port your public IP address the router would reject the ... > An open port on the router could be connected to a service running on the ...
    (comp.security.firewalls)
  • Re: Possible Mail Relay or just new usages of returned mail by spammers
    ... If you have ANY type of firewall, be it a NAT router or true firewall ... ISA can be used in conjunction with the router/firewall, but if you do, you ... to be done twice...once in ISA, and once in the router to port forward to ...
    (microsoft.public.windows.server.sbs)
  • Re: Home firewall Hits
    ... >Port 162 with a UDP message. ... than theres nothing blocking access from the internet to your router. ... >Subject: Home firewall Hits ... >simplify the management and deployment of PGP and reduce overall PGP costs ...
    (Security-Basics)
  • Re: Routers Firewall
    ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ...
    (comp.security.firewalls)
  • Re: Bypassing the firewall
    ... Firewall in the router but i think it comes with Zone Alarm. ... >> The one thing you MUST remember is that an open port is an open port no ... >> So start your game and then start TCPview to see the ports the game is ...
    (comp.security.firewalls)