See: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3 Scroll down to 'Specifying fragments'. Looks like whether it is reassembled prior to the filter depends on a few different factors... Anyway, I was having problems with a local firewall filter stalling my large IMAP downloads. Permitting fragments did the trick... Ramin Dousti <ramin@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jul 18, 2003 at 07:47:29AM -0600, Curtis Call wrote: > > > Are you explicitly allowing fragments through? When a packet is fragmented > > only the first fragment contains the TCP/UDP header. So if you're only > > permitting based on that header the fragments won't make it. > > Are you sure about this? Doesn't defrag occure on the fw by default? Specially > when you do nat it cannot work without this logic? And I don't recall any > mention of "let fragments through" in the howto's or alike. > > Ramin >
