Re: [Re: [FTP large file problem]]

Re: [Re: [FTP large file problem]]

[Curtis Call]

See:

http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3

Scroll down to 'Specifying fragments'.  Looks like whether it is reassembled
prior to the filter depends on a few different factors...

Anyway, I was having problems with a local firewall filter stalling my large
IMAP downloads.  Permitting fragments did the trick...


Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:
> On Fri, Jul 18, 2003 at 07:47:29AM -0600, Curtis Call wrote:
> 
> > Are you explicitly allowing fragments through?  When a packet is
fragmented
> > only the first fragment contains the TCP/UDP header.  So if you're only
> > permitting based on that header the fragments won't make it.
> 
> Are you sure about this? Doesn't defrag occure on the fw by default?
Specially
> when you do nat it cannot work without this logic? And I don't recall any
> mention of "let fragments through" in the howto's or alike.
> 
> Ramin
> 

Re: [Re: [FTP large file problem]]

[Ramin Dousti]

Thanks but there I could find:

-----
If you are doing connection tracking or NAT, then all fragments will get merged back together before they reach the packet filtering code, so you need never worry about fragments.
-----

And I guess by default everybody is using "connection tracking" with netfilter.

Ramin


On Fri, Jul 18, 2003 at 08:34:04AM -0600, Curtis Call wrote:

> See:
> 
> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3
> 
> Scroll down to 'Specifying fragments'.  Looks like whether it is reassembled
> prior to the filter depends on a few different factors...
> 
> Anyway, I was having problems with a local firewall filter stalling my large
> IMAP downloads.  Permitting fragments did the trick...