Ronneil,
The key is to allow what you need. This may depend on what kind of
firewall you have in place. If you are using an application layer gateway
then you will not necesssarily have to allow MTU Path Discovery because the
firewall is making the connection and it will take care of that. You will
only be able to allow specific types of ICMP traffic if you have an
application layer proxy that can look at the packets and discard the types
you do not need. On a packet filtering firewall if you allow ICMP traffic
through your firewall then you are allowing all ICMP traffic through your
firewall. If you do want to allow all ICMP traffic through your firewall
you may still have some problems with traceroute. Traceroute works by
sending a UDP packet, usually on port 33434, with a TTL of 1 to the IP
Address you are tracerouting to. The first router that gets this packet
sends an ICMP "time exceeded" message back to you and drops the UDP packet.
Your computer receives this and then sends another UDP packet with a TTL of
2 and this continues until you get to the destination you are tracerouting
to. Once there the host usually sends back a reset since the chances of a
listen on UDP port 33434 are pretty remote. The problem here is that the
return error messages from the routers along the way are not from the
destination address of the UDP packet and are not the same protocol. Check
out "TCP/IP Illustrated, Volume 1" to find out just about everything you
need to know about ICMP and TCP/IP.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
