[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Force FW1 to fragment encrypted packets on Solaris
On Wed, Dec 26, 2001 at 09:53:57AM -0800, Yim Lee wrote: > Running 4.1 SP5 on Solaris 2.6 > > Having problem with SecuRemote establishment, my > support vendor suggested the following fix: > > 1. Open the file /etc/system with a text editor > 2. Add the following line at the end of the file: > set fw:fw_ipsec_dont_fragment = 0x0 > 3. Reboot the machine > > This will force FireWall-1 to fragment encrypted > packets on Solaris. > > Is there any security risk in doing this? No, all the (fragmented) packets are encrypted - there's just more of them. Not a security problem. You may see a performance hit though since the Solaris box will need to do packet re-assembly to get the data. This is usually expensive in terms of CPU. I wonder why your support said this - I'd run a sniffer and see if your packets are exceeding the 1500 byte limit with the DF (Don't Fragment) flag set. Also check www.phoneboy.com if you haven't already alan ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|