On Fri, Jul 18, 2003 at 07:47:29AM -0600, Curtis Call wrote: > Are you explicitly allowing fragments through? When a packet is fragmented > only the first fragment contains the TCP/UDP header. So if you're only > permitting based on that header the fragments won't make it. Are you sure about this? Doesn't defrag occure on the fw by default? Specially when you do nat it cannot work without this logic? And I don't recall any mention of "let fragments through" in the howto's or alike. Ramin
