Anthony, ever heard of TCP MTU Discovery?
Please read up on it and try again.
-alex
On Thu, 30 May 2002, Antony Stone wrote:
> On Thursday 30 May 2002 7:27 pm, Marcus Zoller wrote:
>
> > Am Fre, 2002-05-31 um 04.02 schrieb Claudio Mio:
> > > iptables -A INPUT -p icmp -i ${LAN_IF} -j LOG
> > > iptables -A OUTPUT -p icmp -o ${LAN_IF} -j LOG
> >
> > By the way: If you want to block pings to your machine,
> > do this by blocking icmp INPUT with message-type 8 (echo-request).
> >
> > Never ever block all ICMP from/to your machine! This will break nearly
> > anything. The minimum you must ACCEPT for input and output is message
> > type 3 and 11.
>
> I disagree with this, although it depends on whether the box acting as the
> firewall is also running any clients or servers (ie does it ever act as an
> endpoint in an IP communication, or is it just a filtering router ?).
>
> If the firewall is running clients / servers, then the advice given above is
> correct - you should not indiscriminately block ICMP to / from the machine,
> however if the firewall is only a router, then it is perfectly okay to block
> incoming / outgoing ICMP so long as you still allow it *through* the machine
> for clients and servers to send ICMP messages to each other.
>
> I always recommend that a firewall should be a firewall and nothing else, and
> that it should also be invisible on the network - default policy of DROP on
> the INPUT chain, with selective filtering in the FORWARD chain.
>
> By all means be selective about what ICMP you do allow through your firewall
> - you may not want outsiders to be able to ping your internal machines, for
> example, but do not just block all ICMP between endpoints which need to
> communicate.
>
>
> Antony.
>
