From owner-freebsd-security  Mon Jan 18 21:09:08 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA15003
          for freebsd-security-outgoing; Mon, 18 Jan 1999 21:09:08 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from puck.nether.net (puck.nether.net [204.42.254.5])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA14998
          for <security@FreeBSD.ORG>; Mon, 18 Jan 1999 21:09:05 -0800 (PST)
          (envelope-from jared@puck.nether.net)
Received: (from jared@localhost)
	by puck.nether.net (8.9.2/8.7.3) id AAA11517;
	Tue, 19 Jan 1999 00:09:02 -0500 (EST)
	(envelope-from jared)
Date: Tue, 19 Jan 1999 00:09:02 -0500
From: Jared Mauch <jared@puck.nether.net>
To: Christian Kuhtz <ck@adsu.bellsouth.com>
Cc: security@FreeBSD.ORG
Subject: Re: icmp
Message-ID: <19990119000902.A11438@puck.nether.net>
Mail-Followup-To: Christian Kuhtz <ck@adsu.bellsouth.com>,
	security@FreeBSD.ORG
References: <19990118230751.D5878@oreo.adsu.bellsouth.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <19990118230751.D5878@oreo.adsu.bellsouth.com>; from Christian Kuhtz on Mon, Jan 18, 1999 at 11:07:51PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 18, 1999 at 11:07:51PM -0500, Christian Kuhtz wrote:
> 
> Nate, et al,
> 
> You are right.  If PMTU Discovery actually occurs, filtering ICMP unreachable-
> need frag does break things.  Mea culpa.
> 
> I had never seen it do that and based on that falsely concluded that it 
> wouldn't be affected, since one almost always got away with it (thanks to 
> widespread Ethernet).  Learned a lot about ICMP processing in BSD while
> reading the sources, though ;).

	Do not fear, this is a common mistake actually, the problem
is that it becomes too common.  People use filtering icmp as a hack fix
in cases to drop traffic that could be DoS or otherwise unrelated.  I
remember several years ago getting icmp redirects sent halfway across 
the world from broken routers, and attempted to do a great deal of
work to get people to fix them :)

	What is good is not telling people that "you're an idiot,
that breaks stuff", but taking the time to explain why and how it
can, and help educate and require your vendors (both in the Free
software community, and in the Commerical megabucks world) to
comply to them once you've learned why and how these things
are in place.

	We were all without clue once, lets help :)

	- jared

--
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message