On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

> Hi, Paul!

Hi Patrick!

> > > Blocking ICMP completely breaks PMTUD. Which leads to all
> > > sorts of "funny" breakage from the end users point of view.

> >
> > Surely you're in full control of the MTU between your firewall and
> > external router? Letting the border router deal with PMTU isn't
> > necessarily a bad thing.

> I'm not in control of the MTU along the entire path from
> server to client. PMTUD is an endpoint mechanism.

Sure, but not many folks are downstream of small MTU serial links anymore,
so if you set your external link to frag at 1492 or less (down to the
minumum of 576 if you'd like ~100% success,) and allow your router to send
ICMP to your server, then you're likely to not to have PMTU issues if you
simply don't allow external spoofing of your internal interface.

> Or did I get you completely wrong? I'm thinking of e.g.
> firewall protected public web servers. If you block ICMP,
> clients that try to access them with a smaller MTU than
> whatever the server's local interface has got will fail.

But since you control PMTU on your network, you can simply shrink it
enough and allow the ICMP traffic between trusted nodes only. Solves the

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

firewall-wizards mailing list