anyone else using ipfw ?

[Rob Hartill <ro...@imdb.com>]

We use ipfw (IP FireWall) to filter out unwanted connections to
services we don't offer and to block abusive hosts (e.g. spam domains
on port 25 and broken robots on port 80).

Some people running Windoze can't reach us on port 80 because ipfw
is refusing them access. People who have managed to fix the problem
has changed their PPP 'mtu' from 1500 to 576. A friend believes this
is due to fragmented packets being rejected at the firewall.

I sent mail to a FreeBSD mailing list asking if anyone had any
experience of this but got no answer, so I'll try here instead.
Anyone ?

It's impossible for us to tell how widespread the problem is. Hundreds
of thousands of windoze users are reaching us so it's not a major problem.

--
Rob Hartill                              Internet Movie Database (Ltd)
http://www.moviedatabase.com/   .. a site for sore eyes.


ps, ipfw is wonderful at blocking Spamford's ever changing and ever
spoofing lusers from depositing their trash in our mailboxes.

Re: anyone else using ipfw ?

[Rob Hartill <ro...@imdb.com>]

On Wed, 2 Jul 1997, Marc Slemko wrote:

> Do you have a permit-all except what you deny policy or a deny all except
> what you permit policy?

ipfw is denying everything except what's explicitly allowed.

> A tcpdump or four of an attempt to connect that fails wouldn't hurt, as
> well as that same dump when the MTU is changed.  If them lowering their
> MTU helps then, assuming you don't have any low MTU links in front of you,
> it is possible that their upstream has an unusually low MTU.  That could
> normally be verified with the right traceroute.

Such info isn't going to be at all easy to acquire.

traceroute's also denied  :-o   my advisor's paranoid.

--
Rob Hartill                              Internet Movie Database (Ltd)
http://www.moviedatabase.com/   .. a site for sore eyes.

Re: anyone else using ipfw ?

[Marc Slemko <ma...@worldgate.com>]

Yes, it is possible, however I didn't think that is what the ipfw code
did.

The deal is that all fragments other than the first don't have the port
info in, so the firewall can't judge if it is to the correct port.  One
way of dealing with that is to just let the fragments through, on the
assumption that you have already checked the first fragment and that
latter ones can't do any harm anyway since they will be thrown away
without the first.  If you have a deny all, however, the firewall may
decide to throw them away.  

Do you have a permit-all except what you deny policy or a deny all except
what you permit policy?

A tcpdump or four of an attempt to connect that fails wouldn't hurt, as
well as that same dump when the MTU is changed.  If them lowering their
MTU helps then, assuming you don't have any low MTU links in front of you,
it is possible that their upstream has an unusually low MTU.  That could
normally be verified with the right traceroute.

I was under the impression that the NT stack still couldn't handle
fragments... 

On Wed, 2 Jul 1997, Rob Hartill wrote:

> 
> We use ipfw (IP FireWall) to filter out unwanted connections to
> services we don't offer and to block abusive hosts (e.g. spam domains
> on port 25 and broken robots on port 80).
> 
> Some people running Windoze can't reach us on port 80 because ipfw
> is refusing them access. People who have managed to fix the problem
> has changed their PPP 'mtu' from 1500 to 576. A friend believes this
> is due to fragmented packets being rejected at the firewall.
> 
> I sent mail to a FreeBSD mailing list asking if anyone had any
> experience of this but got no answer, so I'll try here instead.
> Anyone ?
> 
> It's impossible for us to tell how widespread the problem is. Hundreds
> of thousands of windoze users are reaching us so it's not a major problem.
> 
> --
> Rob Hartill                              Internet Movie Database (Ltd)
> http://www.moviedatabase.com/   .. a site for sore eyes.
> 
> 
> ps, ipfw is wonderful at blocking Spamford's ever changing and ever
> spoofing lusers from depositing their trash in our mailboxes.
> 
>