[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Fragementation Problem Fix
I thought that in NG, the "Fragementation Problem Fix" was done by changing ":ipsec_dont_fragment (true)" to ":ipsec_dont_fragment (false)" for the Firewall module object in question in $FWDIR/conf/objects_5_0.C. >Return-path: <[email protected]> >Date: Tue, 04 Feb 2003 18:32:44 -0500 >From: Jim Laverty <[email protected]> >Subject: Re: [FW-1] Fragementation Problem Fix >Sender: Mailing list for discussion of Firewall-1 > <[email protected]> >To: [email protected] >Reply-to: Mailing list for discussion of Firewall-1 > <[email protected]> >Organization: Wang Trading LLC >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >Importance: Normal >X-MSMail-priority: Normal >Original-recipient: rfc822;[email protected] > >modzap is still used in NG, backup your fwmod.o file before you do anything. > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]] On Behalf Of Nathan >Jardine (IT Services) >Sent: Tuesday, February 04, 2003 1:40 PM >To: [email protected] >Subject: [FW-1] Fragementation Problem Fix > > > >Can this fragmentation problem fix also be done in NG? If so is the syntax >the same? > > >Some applications set the "Don't Fragment" bit on certain packets. When the >IPSEC headers are added onto the already large packet, the packet basically >requires fragmentation in order to pass. When Check Point creates the IPSEC >packet, the Don't Fragment bit it passed onto the new packet. The end >result, a packet that requires fragmentation to pass, but has the Don't >Fragment bit set, so can't be fragmented. Packet gets dropped. > >You can force FireWall-1 to clear the Don't Fragment bit by setting the >fw_ipsec_dont_fragment kernel variable as follows: > >On an Nokia IPSO system (VPN-1 Appliance or Nokia IP), you will need to >get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You >can then use the following command line to modify the fwhmem parameter and >reboot the system: > > # modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0 > > > > >Sincerely, >Nathan > >Nathan Jardine, CCNP, CCSA, CCDA, MCSE >IT Services, SkillSoft >Ph; ext 6977 >Cell>[email protected] > >SkillSoft, The E-Learning Solutions Company >Visit us at <http://www.smartforce.com> http://www.smartforce.com > > > >-------------------------------------------------------- >Note: >This message is for the named person's use only. It may >contain confidential, proprietary or legally privileged >information. No confidentiality or privilege is waived >or lost by any mistransmission. If you receive this >message in error, please immediately delete it and all >copies of it from your system, destroy any hard copies >of it and notify the sender. You must not, directly or >indirectly, use, disclose, distribute, print, or copy >any part of this message if you are not the intended >recipient. Wang Trading LLC and any of its subsidiaries >each reserve the right to monitor all e-mail >communications through its networks. > >Any views expressed in this message are those of the >individual sender, except where the message states >otherwise and the sender is authorized to state them >to be the views of any such entity. >--------------------------------------------------------- ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ><HTML><HEAD> ><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> ><TITLE>Message</TITLE> > ><META content="MSHTML 6.00.2800.1126" name=GENERATOR></HEAD> ><BODY> ><DIV><SPAN class=2003><FONT face=Arial size=2>modzap is still used >in NG, backup your fwmod.o file before you do anything.</FONT></SPAN></DIV> ><BLOCKQUOTE style="MARGIN-RIGHT: 0px"> > <DIV></DIV> > <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT > face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for > discussion of Firewall-1 [mailto:[email protected]] > <B>On Behalf Of </B>Nathan Jardine (IT Services)<BR><B>Sent:</B> Tuesday, > February 04, 2003 1:40 PM<BR><B>To:</B> > [email protected]<BR><B>Subject:</B> [FW-1] > Fragementation Problem Fix<BR><BR></FONT></DIV> > <P><FONT face=Arial size=2>Can this fragmentation problem fix also be done in > NG? If so is the syntax the same?</FONT> </P><BR> > <P><FONT face="Courier New" size=2>Some applications set the "Don't Fragment" > bit on certain packets. When the IPSEC headers are added onto the already > large packet, the packet basically requires fragmentation in order to pass. > When Check Point creates the IPSEC packet, the Don't Fragment bit it passed > onto the new packet. The end result, a packet that requires fragmentation to > pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets > dropped.</FONT></P> > <P><FONT face="Courier New" size=2>You can force FireWall-1 to clear the Don't > Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as > follows:</FONT></P> > <P><FONT face="Courier New" size=2>On an Nokia IPSO system (VPN-1 Appliance or > Nokia IP), you will need to get the 'modzap' utility from Resolution 1261 > in Nokia's Knowledge Base. You can then use the following command line to > modify the fwhmem parameter and reboot the system:</FONT></P> > <P><FONT face="Courier New" size=2> # modzap -s _fw_ipsec_dont_fragment > $FWDIR/modules/fwmod.o 0x0</FONT> </P><BR><BR><BR> > <P><B><I><FONT face=Arial>Sincerely,</FONT></I></B><I></I> <BR><I><FONT > face=Arial color=#0000ff size=4>Nathan</FONT></I> <BR><FONT face=Arial > size=2> </FONT> <BR><FONT face=Arial size=2>Nathan Jardine, CCNP, CCSA, > CCDA, MCSE</FONT> <BR><FONT face=Arial size=2>IT Services, SkillSoft</FONT> > <BR><FONT face=Arial size=2>Ph. ; ext 6977</FONT> > <BR><FONT face=Arial size=2>Cell </FONT> <BR><FONT > face=Arial size=2>[email protected]</FONT> </P> > <P><FONT face=Arial size=2>SkillSoft, The E-Learning Solutions Company</FONT> > <BR><FONT face=Arial size=2>Visit us at</FONT><B> </B><A > href="http://www.smartforce.com"><B><U><FONT face=Arial color=#0000ff > size=2>http://www.smartforce.com</FONT></U></B><B></B></A><B></B> ></P><BR></BLOCKQUOTE> ><HR> > ><DIV><STRONG>Note:</STRONG></DIV> ><DIV>This message is for the named person's use only. It may contain >confidential, proprietary or legally privileged information. No >confidentiality or privilege is waived or lost by any mistransmission. If >you receive this message in error, please immediately delete it and all >copies of it from your system, destroy any hard copies of it and notify the >sender. You must not, directly or indirectly, use, disclose, distribute, >print, or copy any part of this message if you are not the intended >recipient. <STRONG><FONT color=#ff8000>Wang Trading >LLC </FONT></STRONG>and any of its subsidiaries each reserve the right to >monitor all e-mail communications through its networks.</DIV> ><DIV>Any views expressed in this message are those of the individual sender, >except where the message states otherwise and the sender is authorized to state >them to be the views of any such entity.</DIV> ><DIV> </DIV><STRONG></STRONG> ><HR> ></BODY></HTML> > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|