>Someone suggested (I forget who, but tks all the same) that it might be a
>defrag problem so I went to look at the firewall logs and indeed there
>were ICMP defrag packets, but from RFC1918 addresses, so they were being
>blocked by the firewall.
>
>I have a strict firewall policy of blocking any packet with an RFC1918
>address, whether source or destination, or an inbound packet with a source
>address from the site assigned IP block, or an outbound packet to a
>destination address from the site assigned IP block.
Which is a good idea.
I am aware of an ISP who runs all of their router interfaces using
point-point links (where you or I would just throw a /29 or /30 at it and
be done with it) on RFC1918 address space. They don't think this is a
problem. I do. Same sorts of problem.
Most backbone providers block RFC1918 addresses at various points along the
way. Solution is to tell those people who have put in kludges to fix them.
>My question is: Should I stick with that strict policy, or am I safe in
>relaxing it for ICMP messages just to suit inconsiderate ISPs who refuse
>to comply with RFC1918?
IMHO no. Other less-relaxing-than-you backbone providers will block this
traffic anyway - so you allowing it will only fix the problem where the
source of the private address space is close enough to you that there isn't
a sink hole in the middle.
Seen this same problem before anyway. Only solution is to "fix" it. :-)
Cheers,
John
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
