OT: Blocking of ICMP type 3 code 4 packets [Was: Prevent circumventing dansguardian with pf]
Although it's not well known TCP seriously depends on ICMP packets of type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these packets lead to congested IP connections, broken transmissions and thus to frustrated users. Some documentation: http://en.wikipedia.org/wiki/Pmtud http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/ http://www.ietf.org/rfc/rfc2923.txt Various serious solutions: BSD: pass quick proto icmp from any to any icmp-type 3 code 4| Linux: iptables -I CHAIN-NAME -p ICMP --icmp-type 3/4 -j ACCEPT Check Point firewalls: Explicitly allow ICMP type 3 code 4 packets to the servers that use Path MTU Discovery A firewall that allows TCP and disallows ICMP type 3 code 4 is a broken firewall that should be repaired or replaced immediately since it's not usable for serious TCP traffic. +++chefren
Re: OT: Blocking of ICMP type 3 code 4 packets [Was: Prevent circumventing dansguardian with pf]
On 2007/04/26 01:01, chefren wrote: Although it's not well known TCP seriously depends on ICMP packets of type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these packets lead to congested IP connections, broken transmissions and thus to frustrated users. for PF, 'keep state' on the TCP rule (default in 4.1) does the right thing and matches the appropriate ICMP messages as well.