Re: IP fragmentation problem in the 2.0 kernels ?

Teunis Peters (
Thu, 11 Sep 1997 10:14:14 -0600 (MDT)

On Wed, 10 Sep 1997, Alan Cox wrote:

> > What if the kernel never sees the ICMP response?
> > What if the webserver never sees the ICMP request?
> >
> > ICMP tends to disappear behind firewalls (to reiterate) - and it's not
> > likely firewalls are going to disappear anytime soon.
> Then the webserver is broken. Properly configured firewalls pass proper
> IP packets. Whoever set up a system where that doesnt work is incompetent
> to a degree they should not be involved in firewall configuration.

Ah - but (as you no doubt know) ICMP != IP... But then, that doesn't
matter if the (request MTU) flag of the webserver isn't setup...

Only Linux seems to be able to pass ICMP through a firewall.... Windows
NT certainly can't. (yet) [and that's what all 'good' sysadmins swear by
- at least that's what all the magazines say]

> > Welcome to the real world - the nonstandard one <sigh>.
> > There should be a way to handle fragmentation requests with firewalls....
> Tough shit.

That's what I said <sigh>.... it's not like the IETF (or others) will
deal with them.

> > There a newer RFC than 1159 for this?
> > Any solution?
> The opinion on the tcp list is to beat the morons concerned over the heads
> until they hire a competent firewall admin.

and either setup Linux on the firewall or get a (probably very expensive?)

> > Anyone know how IPv6 handles masquerade/forward/et al?
> > (RFC's?) - I've only read up to 1850 (roughly)
> IPv6 does no partial fragmentation. You have to let ICMP DF frames through.
> With IPv4 you can just turn MTU discovery off on your web server (which is
> what a lot of folks do). Good high end firewalls don't have this problem and
> actually test and process the icmp df frames for validity.

Oh???? Linux is the only one I've heard of.....
Right. Okay, now I understand....

Question - where could I find out how to figure out which ICMP DF frames
are valid? (RFC?)

(I am firewall administrator here BTW - because I know linux :)
[and am about the only one in the region]

Guess it should end up somewhere in WWW setup docs....
(Apache doesn't mention it AFAIK - but then it doesn't really matter to me
because my firewall DOES pass ICMP-DF frames <grin>)

Yes - those who break the official IP specs should be slapped (hi
mickysoft)... but noone is doing that these days <sigh>.... I DO
remember before WWW - when such things WERE watched :)

G'day, eh?
- Teunis