Q: Why does my firewall hate the cambridge picturehouse?

[Simon Andrews]

On 22 Oct 2008, at 14:49, Simon Andrews wrote:

>
> On 22 Oct 2008, at 14:37, Jeremy Henty wrote:
>
>> On Wed, Oct 22, 2008 at 02:16:01PM +0100, Ian Spray wrote:
>>
>>> Just try the  'ip link' equivalent of 'ifconfig  eth0 mtu 1400'
>>
>> That was easily done but it's made no difference: the connection  
>> still
>> chokes and dies, and the firewall logs loads of dropped packets.  :-(
>
> From what I remember of this it isn't the MTU size which is a  
> problem, more that modern linux network stacks use Path MTU  
> Discovery (PMD) to try to negotiate a per-connection MTU setting to  
> avoid fragmentation.  Some routers mangle the packets which do the  
> discovery and it all goes downhill after that.
>
> You can disable Path MTU discovery in linux using:
>
> echo  1  >/proc/sys/net/ipv4/ip_no_pmtu_disc

Thinking some more about this it's also possible that your firewall  
is blocking the ICMP Frag Needed packets which are being sent back to  
you (hence the dropped packets in your logs).  A better fix would be  
to allow those packets through so you can do the MTU negotiation.   
PMD is a desirable thing and your connection won't be as efficient if  
you just disable it.  However if it's not your firewall which is  
blocking these packets you're stuffed and you'd just have to disable  
PMD.

Simon.