fragment
The fragment command provides additional management of packet fragmentation and improves compatibility with NFS. (Configuration Mode.)
fragment size database-limit [interface]fragment chain chain-limit [interface]
fragment timeout seconds [interface]
clear fragment
show fragment [interface]
Syntax
size Sets the maximum number of packets in the fragment database. The default is 200. chain Specifies the maximum number of packets into which a full IP packet can be fragmented. The default is 24. timeout Specifies the maximum number of seconds that a packet fragment will wait to be reassembled after the first fragment is received before being discarded. The default is 5 seconds. clear Resets the fragment databases and defaults. All fragments currently waiting for reassembly are discarded and the size, chain, and timeout options are reset to their default values. show Displays the state of the fragment database:
Size Maximum packets set by the size option. Chain Maximum fragments for a single packet set by the chain option. Timeout Maximum seconds set by the timeout option. Queue Number of packets currently awaiting reassembly. Assemble Number of packets successfully reassembled. Fail Number of packets which failed to be reassembled. Overflow Number of packets which overflowed the fragment database. database-limit The default is 200. The maximum is 1,000,000 or the total number of blocks. chain-limit The default is 24. The maximum is 8200. seconds The default is 5 seconds. The maximum is 30 seconds. interface The firewall interface. If not specified, the command will apply to all interfaces.
Usage Guidelines
In general, the default values should be used. However, if a large percentage of the network traffic through the firewall is NFS, additional tuning may be necessary to avoid database overflow. See system log message 209003 for additional information.
In an environment where the MTU between the NFS server and client is small, such as a WAN interface, the chain option may require additional tuning. In this case, NFS over TCP is highly recommended to improve efficiency.
Setting the database-limit of the size option to a large value can make the firewall more vulner ble to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool. See the show block command for more details. The default values will limit DoS due to fragment flooding to that interface only.
Examples
The following example configures the outside fragment database to limit a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
pixfirewall(config)# pixfirewall(config)# fragment outside size 2000 pixfirewall(config)# fragment outside chain 45 pixfirewall(config)# fragment outside timeout 10 pixfirewall(config)#The clear fragment command resets the fragment databases. Specifically, all fragments awaiting re-assembly are discarded. In addition, the size is reset to 200; the chain limit is reset to 24; and the timeout is reset to 5 seconds.
The show fragment command display the states of the fragment databases. If the interface name is specified, only the database residing at the specified interface is displayed.
pixfirewall(config)# show fragment outside Interface:outside Size:2000, Chain:45, Timeout:10 Queue:1060, Assemble:809, Fail:0, Overflow:0The preceding example shows that the "outside" fragment database has the following:
- A database size limit of 2000 packets.
- The chain length limit of 45 fragments.
- A timeout of ten seconds.
- 1060 packets is currently awaiting re-assembly.
- 809 packets has been fully reassembled.
- No failure.
- No overflow.
This fragment database is under heavy usage.