on 21/8/06 2:46 pm, Patrick M. Hausen at hausen@punkt.de wrote:

> Or did I get you completely wrong? I'm thinking of e.g.
> firewall protected public web servers. If you block ICMP,
> clients that try to access them with a smaller MTU than
> whatever the server's local interface has got will fail.

Not necessarily - IP packets can be fragmented to go over smaller MTU
networks. The problem comes when some OSes unnecessarily set the "Do Not
Fragment" bit on all packets, and at that point if the "must fragment" icmp
message doesn't get back to the server then no data flows.

I can understand why *some* types of ICMP could be considered undesirable,
but there are other types which should definitely be let through under
certain circumstances.


PS Missed the start of this discussion, apologies if I missed the point

firewall-wizards mailing list