Re: [FW-1] Fragementation Problem Fix

Subject: Re: [FW-1] Fragementation Problem Fix

From: Jim Laverty <[email protected]>

Date: Tue, 4 Feb 2003 18:32:44 -0500

Importance: Normal

In-reply-to: <1B9C40F9C5A8614EA085B037835D898F02C57268@mailserver1>

Organization: Wang Trading LLC

Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>

Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: Message

modzap is still used in NG, backup your fwmod.o file before you do anything.

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Nathan Jardine (IT Services)
Sent: Tuesday, February 04, 2003 1:40 PM
To: [email protected]
Subject: [FW-1] Fragementation Problem Fix

Can this fragmentation problem fix also be done in NG? If so is the syntax the same?

Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped.

You can force FireWall-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows:

On an Nokia IPSO system (VPN-1 Appliance or Nokia IP), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:

# modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0

Sincerely,
Nathan

Nathan Jardine, CCNP, CCSA, CCDA, MCSE
IT Services, SkillSoft
Ph. ; ext 6977
Cell
[email protected]

SkillSoft, The E-Learning Solutions Company
Visit us at http://www.smartforce.com

Note:

This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.

Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.