Re: [cobalt-users] ICMP replies RaQ issues..

["Benedict" <j@xxxxxxxxxxx>]

> First, check out /etc/protocols -- note that ICMP, UDP, and TCP
> are all IP protocols.  "ICMP on port 80" makes _no sense_.

I'm only writing down what someone from Cisco wrote me about the 827 router.

> Second, running a RaQ over DSL and masquerading is going through
> a lot of pain for no real gain.  Why?  If you must use DSL, why
> not get the proper IP space, or at least bridge if you can only
> get one IP address.

That makes no sense either, it has never been a lot of pain for me,
furthermore, you have to realize how many companies don't have the
capitalist view you have, let alone can cough up the money for
"the proper IP-space". I maintain Qubes for people on a cable modem,
RaQs for people using a dial-up, almost. It always works fine.
 
> Third, I doubt it's the wrong MTU being answered.  My suspicion
> is that ICMP type 3 is getting blocked, which breaks path MTU
> discovery.

Blocked by whom or what?

> Path MTU discovery works by a machine sending out a packet with
> the DF (don't fragment) bit set... if it's larger than the MTU
> somewhere along the line, you receive an ICMP unreachable with
> code 4, fragmentation needed but DF set.  Try it a few times, and
> whallah! the MTU is learned.

I've read this a thousand times already, it's everywhere on the net,
it doesn't help me one bit with the current problem.

> Your RaQ automagically handles this behind the scenes.  It's part
> of the IP stack, and has _nothing_ to do with Apache.

Well, port 80 is the only one pointing to the machine,
so the replies are going over that port as well,
that's why I write "ICMP on port 80", hence Apache.
 
> Now the big question:  Where is ICMP going awry?  If ipchains
> doesn't have an erroneous rule to block all ICMP (well, at least
> type 3), then it's your router giving you grief.

OK, so how do I solve that?