Subject: Re: DF strikes again
To: Bill Sommerfeld <>
From: Andrew Brown <>
List: current-users
Date: 03/15/2001 15:08:57
>> i think the use of "outgoing" and "incoming" here is probably enough
>> for people to insist that they're not doing anything wrong.  after
>> all, it says nothing about incoming traffic with the DF bit or
>> outgoing ICMP messages, which is usually where the problem is.
>This would only be a problem if the bottleneck is *inside* the
>In practice the problems occur with configurations looking like:
>          	inside          outside
>	web server === firewall ============= t1 ---- t2 ======  client
>'=' is 1500 byte MTU
>'-' is smaller MTU
>In this case, the web server is sending out DF packets of size 1500
>bytes; t1 sends back a "frag needed" ICMP, which is being dropped by
>the firewall.

which could just as easily be a situation like this:

                    outside          inside
      client ============== firewall ==== t1 ---- t2 ==== web server

>Large packets sent by "client" wind up hitting the bottleneck at t2,
>get the "frag neededs" and adapt. that large packets from the client wind up getting dropped and
no notification makes it back to the client.

>If t1/t2 are buggy and don't send the "frag needed" errors, that's
>another matter entirely (not a firewall bug).

of course.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."