Re: [fw-wiz] How automate firewall tests

On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

Hi, Paul!

Hi Patrick!

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.

Surely you're in full control of the MTU between your firewall and
external router? Letting the border router deal with PMTU isn't
necessarily a bad thing.

I'm not in control of the MTU along the entire path from
server to client. PMTUD is an endpoint mechanism.

Sure, but not many folks are downstream of small MTU serial links anymore,
so if you set your external link to frag at 1492 or less (down to the
minumum of 576 if you'd like ~100% success,) and allow your router to send
ICMP to your server, then you're likely to not to have PMTU issues if you
simply don't allow external spoofing of your internal interface.

Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.

But since you control PMTU on your network, you can simply shrink it
enough and allow the ICMP traffic between trusted nodes only. Solves the
problem.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Problem of blocking ICMP packet while calculating Path MTU
    ... > I am in process of implementing Path MTU detection technique. ... > process the received ICMP ECHO reply packets. ... > there is no need to write server code at all. ...
    (comp.os.linux.networking)
  • Asp.net Important Topics.
    ... ASP.NET server controls contained within the page. ... A custom server control is ... can also perform validation using client script. ... Where does the Web page belong in the .NET Framework class hierarchy? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Entwicklung von Unix-Anwendung mit C++ (m/w)/ NRW : Ref.-Nr.: 37302/1
    ... I am responsible for design and implementation of the persistent data server working with mySQL. ... Developed within very short time the product was successfully installed ... Reengineering and implementing a display tool for Experimental Physics Industrial Control System ... Developed an operator interface under X Window for High Energy Physics Accelerator Control System. ...
    (de.markt.arbeit.d)
  • Software engineer
    ... I have a BS in Electrical Engineering and computer science and worked on my ... I have also been involved in hardware design. ... Developed an ATL DCOM based Server and MFC client GUI using Visual C++6.0. ... User can control the data acquisition parameters by modifying the script file. ...
    (FreeBSD-Security)
  • Re: How to fire an event
    ... I have an Infragistic datagrid control, ... The button click event is being raised upon a post-back to the server. ... manipulating the grid in script would cause a server event to be raised. ... The problem here is that I have no idea whether the grid will raise the ...
    (microsoft.public.dotnet.languages.csharp)