On Mon, Jan 01, 2001 at 02:05:45PM -0500, Bill Royds wrote:
> That would only be true if your gateway was letting the packets leave with the DF
>bit set. the "ICMP UNREACHABLE WOULD_FRAGMENT" message is a reply to packets your
>gateway has transmitted. A good gateway would be allow this back only for
>corresponding packets sent out (packet with destination with this source and DF set).
>The gateway should be handling the MTU with internal host without informing the
>external host any information about IP number, MTU size etc. It would do re-assembly
>buffering etc.
Every good stateful filter and even some less good filter which do dyn NAt
or Masquerading will do that. Thats why Masquerading is a good Idea for
Leafe Networks. It's not a good Idea for ISPs but those will do Flow/state
analysis for customers only if they get paid to run a managed firewall
solution, anyway.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
