I didn't quite understand. Don't fragment is a bit in IP header which tells routers that the packet should not be fragmented. And this is passed along with the ip-packet.
But there is "fragmentation needed and DF set" ICMP message type 3 code 4 which is a response to packet which is too large to fit MTU and has DF bit on. This can be allowed in the policy. This is usually problem because firewall administrators tend to drop all ICMP packets regardless of their type. This means that packets with DF bit set and MTU packet size larger than MTU of path will hang. ICMP is integral part of Internet and you should be aware of consequences if you filter it. ICMP should be filtered by type/code basis to get most out of it. Nowadays there are so many encapsulating protocols that will cause you problems with MTU's. And because usually these can be seen as intermitted failures they are hard to troubleshoot. So, maybe this answers to your question rgds, Harri > -----Original Message----- > From: ext Fransiscus Ruswahyudi [mailto:[EMAIL PROTECTED]] > Sent: 19 December, 2001 10:17 > To: [EMAIL PROTECTED] > Subject: ICMP Fragmentation > > > Thanks for respons to my question before. It's really > helpful. Anyway, I've another problem. > > Our security policy state that: > "we should ALLOW DO NOT FRAGMENT ICMP messages > outbound" > > Are there anyone know how to implement this specific > ICMP packet types filter in Checkpoint FW-1? > > Enjoy your Holiday! > > Thanks > Ruswahyudi > > __________________________________________________ > Do You Yahoo!? > Check out Yahoo! Shopping and Yahoo! Auctions for all of > your unique holiday gifts! Buy at http://shopping.yahoo.com > or bid at http://auctions.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
