Martin Schuster wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > George Borisov wrote: >> Hello, >> >> Is there a way of forcing an MTU size for forwarded traffic on >> the firewall? >> I have tried playing with TCPMSS in iptables, but I haven't >> managed to get it to work. >> > This should work automatically afaik. > Is your firewall blocking some important ICMP messages like "fragmentation > needed"? > See man iptables (the section on TCPMSS)
All ICMP is allowed. Here are TCPMSS rules: --- $IPTABLES -t mangle -A PREROUTING -s $UK_LAN -d $SA_LAN \ -j MARK --set-mark 2 $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m mark \ --mark 2 -j TCPMSS --clamp-mss-to-pmtu --- The mark bit is there because I'm paranoid (probably without any good reason whatsoever) that IPSec will do funny things to packet source/destination addresses. There are lots of packets hitting this rule, but the problem is still there on machines that haven't had their MTU changed. :-( The added complication is that TCPMSS needs to catch the packets before IPSec wraps them up for transmission. I'm not sure if those rules are doing it right. -- George Borisov DXSolutions Ltd > hth, > - -- > Martin Schuster <[EMAIL PROTECTED]> > CenterPoint http://www.centerpoint.eu.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE5ZZZ8/HiHhT8phIRAtUdAJ4nd/ilrpEvEcxobYJwaR93izAH6QCfWMaO > U5+jKmFGCigCfTwrJtFvEEw= > =D7ba > -----END PGP SIGNATURE----- > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]