On 08/10/15 21:26, Antony Prince wrote: > I host a server in this pool and it is set to drop all IPv4 ICMP packets
I hope you mean specifically dropping all ICMP echo-request packets, not all ICMP packets. Because some ICMP packets are *essential* for proper functioning of your internet connection, like path MTU discovery. Systems behind firewalls that drop all ICMP packets can never properly do path MTU discovery, and this is nicely reflected in the man page for the iptables cludge that prevents most PMTU blackhole issues: > TCPMSS [...] > > This target is used to overcome criminally braindead ISPs or servers > which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" > packets. The symptoms of this problem are that everything works fine from > your Linux fire‐ wall/router, but machines behind it can never exchange > large packets: [...] And PMTU discovery is not the only thing affected by blocking all ICMP, but it's a biggy. HTH, Peter. PS: It is referring to "working fine from your router" because this target is for the router where the "pipe" so to say becomes "smaller": a small MTU in between larger MTU's. The router is aware of the small MTU, but other systems are not, which is why only the router works properly, provided the small MTU is the smallest on the path. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
