[Nottingham] Odd behaviour in KDE

Iain Lennon nottingham at mailman.lug.org.uk
Thu Aug 21 07:45:01 2003


I'm using shorewall with pretty much the default configuration, with a few 
additional rules to deny ports to the internet which seemed unblocked using 
the scan.sygate.com site to check (this site seems quite a useful tool!)

I'll go back and have a look at the internal network rules, but I'm pretty 
sure I'm allowing all traffic

On Wednesday 20 Aug 2003 16:02, Robert Davies wrote:
> On Wednesday 20 Aug 2003 14:28, Iain Lennon wrote:
> > Aug  4 16:35:37 whitetower snort: [1:521:1] MISC Large UDP Packet
> >
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 192.168.1.2:800 -> 192.168.1.1:2049
> >
> > Just an example.
> >
> > MTUs on all machines were set at 1500 (obviously a default). Searching
> > the mailing lists for wlan-ng a setting of 2346 was evidently the setting
> > to use,
>
> I've read, that according to the RFC UDP packets with payload larger than
> 512 bytes do not have to be supported by hosts on the Internet, so that
> warning might simply be about large UDP packets, generated by something
> like NFS.
>
> Your symptoms are very similar to a problem I encountered when Solaris2 was
> first getting deployed.  It set the Do Not Fragment bits and some routers,
> didn't handle it properly, or the ICMP messages might have been filtered
> away, so the host could never discover it's packet size was larger than the
> MTU at some point on the path.
>
> So have you some heavy duty firewall filtering for security purposes that
> might be throwing away ICMP messages, telling your host to reduce it's
> transmission size?
>
> Rob
>
>
> _______________________________________________
> Nottingham mailing list
> Nottingham@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/nottingham
>
> ________________________________________________________________________
> This email has been scanned using the CleanPort MEF antivirus
> system. Funded for members by the Doctors.net.uk Bulletin service
> How does this protect me? http://www.Doctors.net.uk/qualityemail
> ________________________________________________________________________

-- 
Dr Iain Lennon