From owner-freebsd-security  Sun Sep  3 10:47:14 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ibb0021.ibb.uu.nl (ibb0021.ibb.uu.nl [131.211.124.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7430737B423; Sun,  3 Sep 2000 10:47:11 -0700 (PDT)
Received: by ibb0021.ibb.uu.nl (Postfix)
	id AA8CC7B3; Sun,  3 Sep 2000 19:46:12 +0200 (CEST)
Date: Sun, 3 Sep 2000 19:46:11 +0200
From: Mipam <mipam@ibb.net>
To: Nate Williams <nate@yogotech.com>
Cc: Robert Watson <rwatson@FreeBSD.ORG>, Dragos Ruiu <dr@kyx.net>,
	cjclark@alum.mit.edu, "Crist J . Clark" <cjclark@reflexnet.net>,
	Bill Fumerola <billf@chimesnet.com>, Nicolas <list@rachinsky.de>,
	freebsd-security@FreeBSD.ORG
Subject: Re: ipfw and fragments
Message-ID: <20000903194611.A10607@ibb0021.ibb.uu.nl>
Reply-To: mipam@ibb.net
References: <0009030256211M.20066@smp.kyx.net> <Pine.NEB.3.96L.1000903094614.69440A-100000@fledge.watson.org> <200009031727.LAA03881@nomad.yogotech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200009031727.LAA03881@nomad.yogotech.com>; from nate@yogotech.com on Sun, Sep 03, 2000 at 11:27:46AM -0600
X-Obviously: All email clients suck. Only Mutt sucks less!
X-Editor: Vi
X-Operating-System: BSD
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Actually, isn't the purpose of PMTU to avoid the need to fragment the
> packet at intermediate routers?  Since PMTU involves both endpoints of
> the link, thus allowing the originator to determine *if* a packet of a
> particular size can make it all the way from one end to the other w/out
> fragmentation.
>

As far as i can tell, it is :)
Nice link for this: http://www.cis.ohio-state.edu/rfc/rfc1191.txt
With other words, rfc 1191 has nice info about it.
I guess this is another good reason to allow icmp, especially type 3 code 4.

Now, i came to icmp again, a remark on the icmp discussion from latest time.
No need to explicitly specify to allow icmp type 0 on ipf.
Icmp state keeping will result in the answer comming through on the 
initial icmp type 8.
That is, i never experienced trouble doing it this way.
That doesnt mean that it's allright. Maybe there are circumstanses in
which you wish to explicitly allow icmp type 0 to come in, in which
case i'd like to hear about it :)
Bye,

Mipam.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message