On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

> On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:
> > The doco above says no good firewall should allowe ICMP, ...

> Then this document is plainly wrong, IMHO. Which one were you
> referring to?
> Blocking ICMP completely breaks PMTUD. Which leads to all
> sorts of "funny" breakage from the end users point of view.

Surely you're in full control of the MTU between your firewall and
external router? Letting the border router deal with PMTU isn't
necessarily a bad thing.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

firewall-wizards mailing list