On Sat, 7 Jan 2006, Yizhar Hurwitz wrote:
Well, as you know, many systems nowdays use xDSL lines, that some of them
have lower MTU because of tunneling protocols (such as PPPoE).
And also, many firewalls drop ICMP packets required for PMTU, so you cannot
trust PMTU to find the best packet size.
Some firewalls might also drop fragment packets.
If the firewall drops error ICMPs or fragmented packets then it's broken.
Blocking some kind of ICMP packets is one thing but blindly blocking
all ICMP is a Bad Idea (tm). Any decent stateful firewall can recognize
if an ICMP is a response to a packet you generated. IP filter (comes
in most BSDs) has been doing it since at least '99.
ICMP is an integral part of the TCP/IP suite. It is needed for TCP/IP
to work properly. You CAN'T (well, you can, but you shouldn't) block
all of it.
The same goes for fragments, droping bare fragments is OK. droping fragments
which you know are part of legitimate traffic isn't.
Fer
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
