Hi, Paul!

On Mon, Aug 21, 2006 at 09:17:08AM -0400, Paul D. Robertson wrote:
> On Mon, 21 Aug 2006, Patrick M. Hausen wrote:
> > On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:
> >
> > > The doco above says no good firewall should allowe ICMP, ...

> >
> > Then this document is plainly wrong, IMHO. Which one were you
> > referring to?
> >
> > Blocking ICMP completely breaks PMTUD. Which leads to all
> > sorts of "funny" breakage from the end users point of view.

> Surely you're in full control of the MTU between your firewall and
> external router? Letting the border router deal with PMTU isn't
> necessarily a bad thing.

I'm not in control of the MTU along the entire path from
server to client. PMTUD is an endpoint mechanism.

Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
firewall-wizards mailing list