Re: [fw-wiz] How automate firewall tests

Hi!
[color=blue]
> Sure, but not many folks are downstream of small MTU serial links anymore,
> so if you set your external link to frag at 1492 or less (down to the
> minumum of 576 if you'd like ~100% success,)[/color]

Got it. But 576 doesn't guarantee 100% success, even if you have
a fair chance ;-)

IIRC any IP implementation must be able to receive at least 576
bytes sized frames. But there is no mandation of a minimum path MTU
of that size. 256 bytes or something in that order was common on
dialup modem links.
[color=blue]
> But since you control PMTU on your network, you can simply shrink it
> enough and allow the ICMP traffic between trusted nodes only. Solves the
> problem.[/color]

I was thinking of the not so knowledgable server/firewall admin
blocking ICMP without those measures. And, what's so bad about
ICMP "df needed" messages? Of course I'm not proposing to allow _all_
types of ICMP through.

Regards,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe [url]http://punkt.de[/url]
_______________________________________________
firewall-wizards mailing list
[email]firewall-wizards@listserv.icsalabs.com[/email]
[url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]