Hi.
A <---> (internet) <---> B <---> C
we have a setup with A being "a host from the internet", B a
linux-"router-firewall", C a webserver.
network B-C is a 192.168.x.x network.
host B has a "real" IP for its exterior interface.
we use portforwarding (ipportfw) on port 80 from B to C.
traffic from C:80 to outgoing hosts (answers to ipportfw-ed
requests) gets MASQed.
well, everything works fine, till...
if host A or somehost between B and A has a MTU smaller than the
packages being sent by C (using (imho) braindead PMTU-Discovery)
it creates "ICMP DEST-UNREACHABLE FRAG-NEEDED" packets and sends
them back to C. but since we are only forwarding port 80 and are
not using any incoming-masquerading the ICMPs get stuck at B and
are not forwarded to C. so C never notices it is sending to large
pakets and tries "forever".
if it was a classic "outgoing masq" connection the ICMPs would be
demasqueraded and forwarded to C. but they are not cause we are
using ipportfw for incoming.
a) any way to fix this problem
(except the DF-bit from every paket passing host B (works
fine, but i consider it a "dirty workaround") or lowering the
MTU for the B<->C link to 576 (considered a bad dirty
workaround))
b) fixed in ipchains-blah in 2.2.x ? at least ipportfw finally
made its way into the 2.2.x networking code ..
in search for answers,
Gruss,
Hauke Johannknecht
--
[EMAIL PROTECTED]
innominate GmbH
Multifunktionale Serverloesungen und IT-Dienstleistungen
fon: +49.30.308806-0 fax: -77 web: http://innominate.de pgp: /pgp/hj
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
