Re: Strange MTU Problem
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 27 May 2008 19:35:53 -0500
On Tue, 27 May 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <g1hf9j$701$1@xxxxxxxxxxxxxxx>, Geoff Lane wrote:
Moe Trin wrote:
The rules apply to TCP/UDP so I assume ICMP is not affected.
Probably not the case. Does the router know how to forward the ICMP
errors to the correct host on the NAT'ed side?
The way I understand it my Vigor 2600 allows everything unless I deny
it. It can read a rule then branch to another so I set mine for DROP
IMMEDIATELY unless any further match and later allow popular ports.
ICMP errors are sent to the system whose source is in the packet that
caused the error, but ICMP has no port numbers. Think of the situation
where 192.168.11.21 is one of five hosts hiding behind a NAT router.
On the local side, a packet has real source address and destination,
along with real port numbers. The NAT router takes this packet and
replaces the source IP and source port number, while keeping track of
both, and the packet that goes out over the Internet has the correct
destination, but the source address/port number of something on the
NAT box. The world has no means of easily knowing that the source
is a box on the 192.168.11.xx net.
If you next look at RFC0792, you'll find that the ICMP Type 3
(Destination Unreachable) error has the normal 20 byte IP header, an
8 byte ICMP header (0x03 0x?? 0xchecksum, 0x0, 0x0, 0x0 0x0) 20+ bytes
of the IP header that caused the error (20 bytes plus any included IP
options), and 8 more bytes of the "data" of that IP datagram. Assuming
a TCP or UDP packet, those 8 bytes includes the source and destination
port numbers. This means your firewall code has to look at the 28+
byte data of the ICMP error to find out what address and port number
the offending packet came from, and from that, figure out who it
should forward the ICMP error packet after re-writing the contents to
reflect the address translation function. Not all NAT boxes do this.
Think also that the ICMP error may well be generated by a host
other than the destination - perhaps an intermediate router, so you
can't depend on the source IP of the error datagram matching up with
the destination IP of anything you've sent.
One way to check if your firewall is forwarding ICMP errors
correctly is to use a route tracing application, such as traceroute
(or better, tcptraceroute, or hping3, which can be configured to do
the trace using tcp packets rather than ICMP or UDP. If the
trace shows intermediate hops (recall these applications work by
sending packets with artificially low TTLs, and depend on the
intermediate routers to send an ICMP Type 11 "Time Exceeded" error.
That's not the ICMP Type number you need for PMTU, but you can check
that ICMP Type 3 is working by trying to connect to a non-existent
server or port, and hope that who ever set up the destination box is
not filtering (dropping) such packets.
Old guy
.
- Follow-Ups:
- Re: Strange MTU Problem
- From: Geoff Lane
- Re: Strange MTU Problem
- References:
- Re: Strange MTU Problem
- From: Moe Trin
- Re: Strange MTU Problem
- From: Geoff Lane
- Re: Strange MTU Problem
- From: Moe Trin
- Re: Strange MTU Problem
- From: Geoff Lane
- Re: Strange MTU Problem
- Prev by Date: Re: disable local routing between eth0 and eth1 - iptables
- Next by Date: Re: disable local routing between eth0 and eth1 - iptables
- Previous by thread: Re: Strange MTU Problem
- Next by thread: Re: Strange MTU Problem
- Index(es):
Relevant Pages
|
