On Thu, Jun 08, 2000 at 07:21:57PM +1200, Dave Preece wrote:
> So... thinking about what this means for firewalls and natd. If we block all
> incoming ICMP's across the firewall, it is quite possible that a server
> behind the firewall could completely fail to send packets to a client on a
> smaller MTU (modem user with MTU set to 576, for instance).
Yes, that's correct -- The idea that ICMP is a separate and optional
part of TCP/IP is fundamentally wrong. Blocking it unconditionally
is a recipe for all kinds of hard-to-debug lossage around your firewall.
Just Say No.
- mark
--
Mark Newton Email: [EMAIL PROTECTED] (W)
Network Engineer Email: [EMAIL PROTECTED] (H)
Internode Systems Pty Ltd Desk: +61-8-82232999
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
