On Mon, Jan 01, 2001 at 07:41:31PM -0600, Bill Lavalette wrote:
> solving. I'm not real sure what or why you are referring to MTU in this case
> since the most I ever configured MTU was on the interface level only.
Well, if you study TCP/IP a bit more closely you will see what ICMP is for
:)
ICMP_NEED_FRAG is used by Routers on the Internet to inform you, that your
Packetes are too big and that they need Fragmentation. If you do not allow
them in, you will have to turn off MTP Path Discovery (since if you leave it
on, your TCP Packets are send with "DONT_FRAG" flags, so a router will drop
them and not fragment them.
Other ICMP Messages which are helful are incoming Connection Refused
Messages, like HOST_UNREACHABLE, Network prohibited or Header Errors.
Thats why we talk about "safe" types. The word was wrong, they are not safe
types, but they are "better to pass" since they are needed for normal
Operation.
BTW: if you want to turn off PMTU discovery, you an do that on a
masquerading linux gate and it should work for your whole net. If you don't
do masquerading, you have to do it on every single internet accessing
workstation.
Well, it is quite easy, if you deny incoming ICMP traffic, then Log it for a
few days and look it up in the RFC.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
