guy keren wrote:
>On Wed, 9 Jan 2002, Ira Abramov wrote:
>
>3. it _could_ be that even without it, the mere fact that ira uses
> 're-fragmentation' (which, as i remember, was a requirement for any
> masquerading linux machine, back in 2.2 kernels - have that changed)
> would have caused any fragmented packets to be de-fragmented before
> sent again. however, if the next hop is still too small - they will
> also be re-fragmented (as far as i can see), so this only helps for
> incoming pakcets, not for outgoing ones. btw, the reason for this
> de-fragmentation is to allow rules handling upper-level protocols (i.e.
> protocols above the IP layer) to be handled properly for the full
> packet, since the IP fragments do not contain the TCP data of the
> packet).
>
Assuming that you did not block these ICMPs coming in (i.e. - between
your GW and the inside computer), the problem with dropped packets is
not with outbound packets, but with inbound. It may be, BTW, that the
router causing the problems is, in fact, your own GW. Eli - here is one
more thing for you to try. Try removing the CLAMPMSS rule, reducing the
MTU on the GW, but adding a rule allowing outgoing (and incoming) ICMP
type 3 code 4, and check again.
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
