Am 30.05.2024 um 00:47:56 Uhr schrieb Peter: > On Wed, May 29, 2024 at 12:20:09PM +0200, Matus UHLAR - fantomas > wrote: ! > On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock > wrote: ! > > rinetd manages 2 separate connections and should work > with PMTUD. ! > ! On 28.05.24 22:17, Peter wrote: > ! > I'm wondering how it would. The connections are TCP, the PMTU > works ! > via ICMP6.
Please stop using ! as a quoting character, it will break line wrapping when replying and create a mess in the mailing list. > ! No, Path MTU discovery works with TCPv4 using ICMPv4 as well. > ! (although it was/is quite common to block ICMP packets which can > make it not ! work properly) > > That is a different matter, lots of people switch them off > and things do still work, because we're in most cases allowed to > defragment (firewalls do that) and refragment at any point on the > way as needed. That only applies if the router want to fragment it and if the DF bit is NOT set by the sender. > Blocking ICMPv4 a practise that is certainly annoying, but what > can we do? Telling those who do it that is is a really bad idea and don't implement workarounds. > ! > So I would assume, the ICMP "packet too big" message > ! > reaches the host where rinetd runs, is swallowed by the kernel, > and ! > the kernel sets the MTU in it's hostcache. Or something along > that ! > line. > ! > ! > The TCP traffic however gets forwarded by rinetd to the internal > ! > appserver(s) - which never get the message that they should reduce > ! > their MTU. > ! > ! The data from one TCP connection are sent through another TCP > connection, ! where both connections are separate with separate MTU > and PMTUD. > > A new quintuple, then. Hm. Not sure why I was unhappy with that... Didn't you say you never tried rinetd? > one reason was probably that a webserver would not be able to know the > client address. That is indeed the case and logging will be much more complicated, including banning with fail2ban. -- Gruß Marco Send unsolicited bulk mail to 1717022876mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
