1

Is there an way to permit ping packets larger than 1472 through a Juniper SSG520M firewall?

"Ping of Death" and "Large Size ICMP Packet" protection has already been disabled under the 'Screening' options.

I need to be able to ping from the Trust side to the Untrust side (and perhaps vice versa) with packets larger than 1500 (i.e. ping 192.168.1.1 -l 4096) so I can force fragmentation.

Peter
  • 5,453
  • 1
  • 26
  • 32

2 Answers2

1

Note that linux ping by default these days seems to set the don't fragment bit. Check the man page for your implementation (as there are several depending on distribution sigh).

For the "iputils" version you want the "-M dont" option.

LapTop006
  • 6,496
  • 20
  • 26
  • This was done from an XP machine. The don't fragment bit, should cause the (in this case) firewall to reply back to my machine with a smaller MTU size so my machine can fragment the traffic. This is either not happening or the firewall is simply blocking the traffic because it violates some security setting. – Peter Jun 20 '09 at 12:37
  • 1
    What about logging on the Juniper? All drops should be traceable. – nik Jun 20 '09 at 19:58
  • One more thing to check. Is the Juniper configured to block ICMP responses? That would stop the error response. – nik Jun 20 '09 at 20:05
1

If you login to the cli, you should be able to see why the ping is being dropped with ffilter Something along the lines of set ffilter dst-ip <whatever> src-ip <whatever>

Should tell you what rule is actually dropping the ping, so you can turn it off.

Cian
  • 5,838
  • 1
  • 28
  • 40