On Tue, Jan 02, 2001 at 04:32:44PM +1030, Ben Nagy wrote:
> that, in many cases. The trouble is that you need to allow outbound
> packet-too-big for PMTU-D to work if you have public servers. If you don't
> then you're laughing, AFAIK.
Well, you can get around this is you know that your upstream provider has
no bigger PMTU. So if your MTU is 1500 on all devices you can be quite sure
you wont receive bigger packets from Internet.
And as always, if you do masquerading, you do not have to be afraid about
someone probing your network topology, since you only have one public
address, so you can pass all the icmp types outbound. Make sure to filter
Broadcasts and Spoofed Addresses, anyway.
Greetings
Bernd
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
