Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: pipsecd+ipfw fwd
From: Patrick Bihan-Faou (patricknetzuno.com)
Date: Fri Dec 08 2000 - 13:07:13 CST
- Next message: mouss: "Re: TIS Firewall Tookit"
- Previous message: Bruce Evans: "Re: Please review a change to lock(1)"
- Maybe in reply to: John F Cuzzola: "pipsecd+ipfw fwd"
- Maybe reply: Patrick Bihan-Faou: "Re: pipsecd+ipfw fwd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It sounds to me that you would be better served by configuring the IP
routing tables rather than doing this with ipfw fwd rules.
Also for the PMTU problem, tcpmssd (from the ports) can help you there. The
issue is no different that the one experience by PPPoE users.
The reason why you want to reduce the MTU of the IPSec link is that IPSec
headers take some space. If you leave the MTU as 1500, the resulting IPSec
packets may need to be fragmented and that will not help the performance of
"John F Cuzzola" <vdrifterocis.ocis.net> wrote in message
> Hello all,
> I'm using pipsecd from the ports collection and it seems to do the job
> (for my purposes anyway). I've noticed however that when configuring the
> tunnel device the author recommends a MTU of 1440. Recently I added a
> firewall rule like:
> ipfw add fwd <virtual ip address of tunnel> ip from <private net> to any
> to force the next hop through the tunnel. Well it didn't work, it did for
> small amounts of data but not larger ones which lead me to suspect a path
> MTU discovery problem. I reconfigured the tunnel device for a MTU of 1500
> and it works great. My question is when using ipfw fwd what happens if the
> size of the packet exceeds the MTU of the device? When IPFW FWDing does
> ICMP 3.4 messages get sent back for large packets whos dont fragment
> bit is set? or does that packet just get dropped? It
> would appear the icmp 3.4 message doesn't get sent back but that could be
> because of the pipsecd port.
> Kindof curious & thanks,
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message