Hi!

> Sure, but not many folks are downstream of small MTU serial links anymore,
> so if you set your external link to frag at 1492 or less (down to the
> minumum of 576 if you'd like ~100% success,)


Got it. But 576 doesn't guarantee 100% success, even if you have
a fair chance ;-)

IIRC any IP implementation must be able to receive at least 576
bytes sized frames. But there is no mandation of a minimum path MTU
of that size. 256 bytes or something in that order was common on
dialup modem links.

> But since you control PMTU on your network, you can simply shrink it
> enough and allow the ICMP traffic between trusted nodes only. Solves the
> problem.


I was thinking of the not so knowledgable server/firewall admin
blocking ICMP without those measures. And, what's so bad about
ICMP "df needed" messages? Of course I'm not proposing to allow _all_
types of ICMP through.

Regards,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards