On Thu, 30 May 2002, Antony Stone wrote: > > Discovery relies on sender receiving ICMP "Datagram too big, must fragment > > but DF is set". If that datagram is filtered, you'll run into problems. > > This type of ICMP message will be RELATED to an existing TCP connection, > therefore it will be allowed through the firewall by the sort of rulset > Claudio was using - if you recall, this was: Ah, I didn't know iptables are smart enough to realize that!
My apologies then. > I still agree with the choice to disallow all NEW ICMP connections from the > Internet, either in the FORWARD chain, or in the INPUT chain (provided the > firewall's not acting as an endpoint client or server). In such case, there's no argument from me. Its definitely optional, and depends on the paranoia/ease-of-troubleshooting tradeoff that you'd like to make ;) -alex
