Date: Thu, 8 Jun 2000 09:00:17 -0700 (PDT) From: Nate Williams <nate@yogotech.com> To: Dave Preece <dave.preece@kbgroup.co.nz> Cc: "Kenneth D. Merry" <ken@kdm.org>, freebsd-hackers@FreeBSD.ORG Subject: RE: Path MTU discovery. Message-ID: <200006081600.JAA24953@nomad.yogotech.com> In-Reply-To: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz> References: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Just learning about this: I can see the advantages but does
> > anything use it?
> >
> > Sure, TCP uses it.
> >
> So... thinking about what this means for firewalls and natd. If we block all
> incoming ICMP's across the firewall
The moral of the story is don't block *ALL* incoming ICMP's across the
firewall. :)
Something like:
/sbin/ipfw add 1000 pass icmp from any to any via ${netif} icmptypes 0,3,11
Works for me, although you may not want type 11 packets coming in. (I
allow them in, so I can run traceroute);
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006081600.JAA24953>