httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: anyone else using ipfw ?
Date Wed, 02 Jul 1997 17:45:23 GMT
Yes, it is possible, however I didn't think that is what the ipfw code
did.

The deal is that all fragments other than the first don't have the port
info in, so the firewall can't judge if it is to the correct port.  One
way of dealing with that is to just let the fragments through, on the
assumption that you have already checked the first fragment and that
latter ones can't do any harm anyway since they will be thrown away
without the first.  If you have a deny all, however, the firewall may
decide to throw them away.  

Do you have a permit-all except what you deny policy or a deny all except
what you permit policy?

A tcpdump or four of an attempt to connect that fails wouldn't hurt, as
well as that same dump when the MTU is changed.  If them lowering their
MTU helps then, assuming you don't have any low MTU links in front of you,
it is possible that their upstream has an unusually low MTU.  That could
normally be verified with the right traceroute.

I was under the impression that the NT stack still couldn't handle
fragments... 

On Wed, 2 Jul 1997, Rob Hartill wrote:

> 
> We use ipfw (IP FireWall) to filter out unwanted connections to
> services we don't offer and to block abusive hosts (e.g. spam domains
> on port 25 and broken robots on port 80).
> 
> Some people running Windoze can't reach us on port 80 because ipfw
> is refusing them access. People who have managed to fix the problem
> has changed their PPP 'mtu' from 1500 to 576. A friend believes this
> is due to fragmented packets being rejected at the firewall.
> 
> I sent mail to a FreeBSD mailing list asking if anyone had any
> experience of this but got no answer, so I'll try here instead.
> Anyone ?
> 
> It's impossible for us to tell how widespread the problem is. Hundreds
> of thousands of windoze users are reaching us so it's not a major problem.
> 
> --
> Rob Hartill                              Internet Movie Database (Ltd)
> http://www.moviedatabase.com/   .. a site for sore eyes.
> 
> 
> ps, ipfw is wonderful at blocking Spamford's ever changing and ever
> spoofing lusers from depositing their trash in our mailboxes.
> 
> 



Mime
View raw message