On Thursday 30 May 2002 2:58 pm, [EMAIL PROTECTED] wrote: > > > Antony, ever heard of TCP MTU Discovery? > > > > Er, yes, it's a mechanism whereby machines communicating by TCP find out > > the maximum size of packets which can be transmitted between them, across > > whatever underlying protocol connects them. > > > > > Please read up on it and try again. > > > > What is the point you are trying to make ? > > If you filter all incoming ICMP, you'll break TCP MTU Discovery. > > Discovery relies on sender receiving ICMP "Datagram too big, must fragment > but DF is set". If that datagram is filtered, you'll run into problems.
This type of ICMP message will be RELATED to an existing TCP connection, therefore it will be allowed through the firewall by the sort of rulset Claudio was using - if you recall, this was: > # ICMP from INET > iptables -N icmp_pkt > iptables -A icmp_pkt -p icmp -m state --state NEW -j DROP > iptables -A icmp_pkt -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT I still agree with the choice to disallow all NEW ICMP connections from the Internet, either in the FORWARD chain, or in the INPUT chain (provided the firewall's not acting as an endpoint client or server). Antony.
