3. NetDefendOS sends an ICMP message to the client to indicate that fragmentation is needed
and the acceptable MTU for the next hop is 1300 or less.
4. The client now resends the packet with the requested 1300 size and this is forwarded by
NetDefendOS towards the server.
5. The router in front of the server sends back an ICMP message to NetDefendOS to indicate
that the packet size is too big and an MTU size of 1000 or less is acceptable.
6. NetDefendOS forwards this ICMP message to the client.
7. The client now resends again using a packet size of 1000 which is acceptable to both the
firewall and the router so the server is now accessible.
Turning Off the DF Flag
NetDefendOS has a global IP setting called Strip Don't Fragment which can be used to disable
the DF (Don't Fragment) flag in a packet. The Strip Don't Fragment settings takes an integer
value which is the MTU size below which the DF flag is always disabled. By default, this property
has a value of 65535 so the DF flag is always disabled.
Disabling the DF flag means that path MTU discovery will not be used for that packet and it
therefore becomes a possibility that a packet above the acceptable MTU size of network
equipment will be fragmented. In most cases, this will only cause a degradation in performance.
However, explicitly enabling path MTU discovery on a Service object will override the Strip Don't
Fragment setting and so it does not need to be changed for MTU discovery.
Note: Not enabling MTU discovery can cause problems
Disabling path MTU discovery can have unintended side effects. If the forwarding of
ICMP errors is disabled, the packet flow can stop if an upstream device sends an ICMP
error in order to lower the MTU and this is not forwarded to the originator of the traffic.
One way to deal with this potential problem is to use the global Strip Don't Fragment
setting to disable the DF flag so packets that are too long can be fragmented when
needed.
Example 3.19. Enabling Path MTU Discovery
This example shows how to set up path MTU discovery for an IP rule that already exists called
int_to_ext_http. The rule NATs internal clients to the public Internet. The clients are surfing the
Internet so a Service object called my_http_pmd_service will be created which has path MTU
discovery enabled and this will be associated with the IP rule.
Command-Line Interface
First, create a service object:
gw-world:/> add Service ServiceTCPUDP my_http_pmd_service
Type=TCP
DestinationPorts=80,443
PassICMPReturn=Yes
AllowIPv4PathMTUDiscovery=Yes
Chapter 3: Fundamentals
176
To Next Page
Loading...
