Date: Thu, 8 Jun 2000 19:21:36 +0930 From: Mark Newton <newton@internode.com.au> To: Dave Preece <dave.preece@kbgroup.co.nz> Cc: "Kenneth D. Merry" <ken@kdm.org>, freebsd-hackers@FreeBSD.ORG Subject: Re: Path MTU discovery. Message-ID: <20000608192136.A48159@internode.com.au> In-Reply-To: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz> References: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 08, 2000 at 07:21:57PM +1200, Dave Preece wrote:
> So... thinking about what this means for firewalls and natd. If we block all
> incoming ICMP's across the firewall, it is quite possible that a server
> behind the firewall could completely fail to send packets to a client on a
> smaller MTU (modem user with MTU set to 576, for instance).
Yes, that's correct -- The idea that ICMP is a separate and optional
part of TCP/IP is fundamentally wrong. Blocking it unconditionally
is a recipe for all kinds of hard-to-debug lossage around your firewall.
Just Say No.
- mark
--
Mark Newton Email: newton@internode.com.au (W)
Network Engineer Email: newton@atdot.dotat.org (H)
Internode Systems Pty Ltd Desk: +61-8-82232999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000608192136.A48159>