[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IPFilter on Solaris
From:       Phil Dibowitz <phil () ipom ! com>
Date:       2009-06-04 21:19:41
Message-ID: 29811_1244150904_4A283C77_29811_8208_1_4A283A6D.4070909 () ipom ! com
[Download RAW message or body]


salamond wrote:
> Hi, All.
> 
> After adding "keep frags" to the end of current rule, actually all my rules,
> the problem is solved.
> 
> The weird part is with 3.4.32, it works without "keep frags".
> Never mind. Problem solved.
> 
> And if anyone else ever encounter connection hangs while the exact
> rule should have pass it.
> Add "keep frags" to your rules, it may work for you too.

This makes sense. I'm guessing you, or the remote host, don't have Path MTU
Discovery disabled. Alternatively, something in the middle is disregarding
the DF bit... but yes, it's pretty much required to always have keep frags
enabled.

-- 
Phil Dibowitz                             phil@ipom.com
Open Source software and tech docs        Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"Never write it in C if you can do it in 'awk';
 Never do it in 'awk' if 'sed' can handle it;
 Never use 'sed' when 'tr' can do the job;
 Never invoke 'tr' when 'cat' is sufficient;
 Avoid using 'cat' whenever possible" -- Taylor's Laws of Programming



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]