|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Fragementation Problem Fix
It should work, yet I have noticed that in 4.1 it was ignored and modzap was required to guarantee that it worked. I would verify this with Checkpoint, as it would be nice if modzap was not needed. -----Original Message----- From: Misha Alikov [mailto:[email protected]] Sent: Wednesday, February 05, 2003 12:17 PM To: [email protected] Cc: Jim Laverty; [email protected] Subject: Re: [FW-1] Fragementation Problem Fix I thought that in NG, the "Fragementation Problem Fix" was done by changing ":ipsec_dont_fragment (true)" to ":ipsec_dont_fragment (false)" for the Firewall module object in question in $FWDIR/conf/objects_5_0.C. >Return-path: <[email protected]> >Date: Tue, 04 Feb 2003 18:32:44 -0500 >From: Jim Laverty <[email protected]> >Subject: Re: [FW-1] Fragementation Problem Fix >Sender: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Reply-to: Mailing list for discussion of Firewall-1 ><[email protected]> >Organization: Wang Trading LLC >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >Importance: Normal >X-MSMail-priority: Normal >Original-recipient: rfc822;[email protected] > >modzap is still used in NG, backup your fwmod.o file before you do >anything. > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]] On Behalf Of >Nathan Jardine (IT Services) >Sent: Tuesday, February 04, 2003 1:40 PM >To: [email protected] >Subject: [FW-1] Fragementation Problem Fix > > > >Can this fragmentation problem fix also be done in NG? If so is the >syntax the same? > > >Some applications set the "Don't Fragment" bit on certain packets. When >the IPSEC headers are added onto the already large packet, the packet >basically requires fragmentation in order to pass. When Check Point >creates the IPSEC packet, the Don't Fragment bit it passed onto the new >packet. The end result, a packet that requires fragmentation to pass, >but has the Don't Fragment bit set, so can't be fragmented. Packet gets >dropped. > >You can force FireWall-1 to clear the Don't Fragment bit by setting the >fw_ipsec_dont_fragment kernel variable as follows: > >On an Nokia IPSO system (VPN-1 Appliance or Nokia IP), you will need >to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge >Base. You can then use the following command line to modify the fwhmem >parameter and reboot the system: > > # modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0 > > > > >Sincerely, >Nathan > >Nathan Jardine, CCNP, CCSA, CCDA, MCSE >IT Services, SkillSoft >Ph; ext 6977 >Cell>[email protected] > >SkillSoft, The E-Learning Solutions Company >Visit us at <http://www.smartforce.com> http://www.smartforce.com > > > >-------------------------------------------------------- >Note: >This message is for the named person's use only. It may >contain confidential, proprietary or legally privileged >information. No confidentiality or privilege is waived >or lost by any mistransmission. If you receive this >message in error, please immediately delete it and all >copies of it from your system, destroy any hard copies >of it and notify the sender. You must not, directly or >indirectly, use, disclose, distribute, print, or copy >any part of this message if you are not the intended >recipient. Wang Trading LLC and any of its subsidiaries >each reserve the right to monitor all e-mail >communications through its networks. > >Any views expressed in this message are those of the >individual sender, except where the message states >otherwise and the sender is authorized to state them >to be the views of any such entity. >--------------------------------------------------------- ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ><HTML><HEAD> ><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> ><TITLE>Message</TITLE> > ><META content="MSHTML 6.00.2800.1126" name=GENERATOR></HEAD> <BODY> ><DIV><SPAN class=2003><FONT face=Arial size=2>modzap is still used >in NG, backup your fwmod.o file before you do >anything.</FONT></SPAN></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> > <DIV></DIV> > <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT > face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for > discussion of Firewall-1 [mailto:[email protected]] > <B>On Behalf Of </B>Nathan Jardine (IT Services)<BR><B>Sent:</B> > Tuesday, > February 04, 2003 1:40 PM<BR><B>To:</B> > [email protected]<BR><B>Subject:</B> [FW-1] > Fragementation Problem Fix<BR><BR></FONT></DIV> > <P><FONT face=Arial size=2>Can this fragmentation problem fix also be done in > NG? If so is the syntax the same?</FONT> </P><BR> <P><FONT > face="Courier New" size=2>Some applications set the "Don't Fragment" > bit on certain packets. When the IPSEC headers are added onto the > already > large packet, the packet basically requires fragmentation in order to pass. > When Check Point creates the IPSEC packet, the Don't Fragment bit it passed > onto the new packet. The end result, a packet that requires fragmentation to > pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets > dropped.</FONT></P> > <P><FONT face="Courier New" size=2>You can force FireWall-1 to clear > the Don't > Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as > follows:</FONT></P> > <P><FONT face="Courier New" size=2>On an Nokia IPSO system (VPN-1 Appliance or > Nokia IP), you will need to get the 'modzap' utility from > Resolution 1261 > in Nokia's Knowledge Base. You can then use the following command line to > modify the fwhmem parameter and reboot the system:</FONT></P> > <P><FONT face="Courier New" size=2> # modzap -s _fw_ipsec_dont_fragment > $FWDIR/modules/fwmod.o 0x0</FONT> </P><BR><BR><BR> > <P><B><I><FONT face=Arial>Sincerely,</FONT></I></B><I></I> <BR><I><FONT > face=Arial color=#0000ff size=4>Nathan</FONT></I> <BR><FONT face=Arial > size=2> </FONT> <BR><FONT face=Arial size=2>Nathan Jardine, CCNP, CCSA, > CCDA, MCSE</FONT> <BR><FONT face=Arial size=2>IT Services, SkillSoft</FONT> > <BR><FONT face=Arial size=2>Ph. ; ext 6977</FONT> > <BR><FONT face=Arial size=2>Cell </FONT> <BR><FONT > face=Arial size=2>[email protected]</FONT> </P> > <P><FONT face=Arial size=2>SkillSoft, The E-Learning Solutions Company</FONT> > <BR><FONT face=Arial size=2>Visit us at</FONT><B> </B><A > href="http://www.smartforce.com";><B><U><FONT face=Arial color=#0000ff > size=2>http://www.smartforce.com</FONT></U></B><B></B></A><B></B> ></P><BR></BLOCKQUOTE> ><HR> > ><DIV><STRONG>Note:</STRONG></DIV> ><DIV>This message is for the named person's use only. It may >contain >confidential, proprietary or legally privileged information. No >confidentiality or privilege is waived or lost by any mistransmission. If >you receive this message in error, please immediately delete it >and all >copies of it from your system, destroy any hard copies of it and notify the >sender. You must not, directly or indirectly, use, disclose, distribute, >print, or copy any part of this message if you are not the intended >recipient. <STRONG><FONT color=#ff8000>Wang Trading >LLC </FONT></STRONG>and any of its subsidiaries each reserve the right to >monitor all e-mail communications through its networks.</DIV> ><DIV>Any views expressed in this message are those of the individual sender, >except where the message states otherwise and the sender is authorized to state >them to be the views of any such entity.</DIV> ><DIV> </DIV><STRONG></STRONG> ><HR> ></BODY></HTML> > -------------------------------------------------------- Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. --------------------------------------------------------- ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
