You could drop ICMP packets at your firewall if the firewalls properly implemented stateful inspection of ICMP packets. The problem is few firewalls include ICMP responses in their statefull analysis. So you are left with two bad choices, permit "all" ICMP packets or deny "all" ICMP packets.
- MTU path discovery and IPSec jgraun
- Re: MTU path discovery and IPSec Steven M. Bellovin
- Re: MTU path discovery and IPSec Owen DeLong
- Re: MTU path discovery and IPSec Valdis . Kletnieks
- Re: MTU path discovery and IPSec Owen DeLong
- RE: MTU path discovery and IPSec cproctor
- Re: MTU path discovery and IPSec David Sinn
- Re: Firewall stateful handling of ICMP pac... Sean Donelan
- Re: Firewall stateful handling of ICMP... Owen DeLong
- Re: Firewall stateful handling of... Valdis . Kletnieks
- Re: Firewall stateful handlin... Owen DeLong
- Re: Firewall stateful handling of ICMP... Henry Linneweh
- Re: MTU path discovery and IPSec Tony Rall
- Re: MTU path discovery and IPSec Joe Maimon
- Re: MTU path discovery and IPSec Valdis . Kletnieks
- Re: MTU path discovery and IP... Barney Wolff
- Re: MTU path discovery an... Joe Maimon
- Re: MTU path discovery an... Valdis . Kletnieks
