Re: [fw-wiz] How automate firewall tests

On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

Hi, Paul!

Hi Patrick!

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.

Surely you're in full control of the MTU between your firewall and
external router? Letting the border router deal with PMTU isn't
necessarily a bad thing.

I'm not in control of the MTU along the entire path from
server to client. PMTUD is an endpoint mechanism.

Sure, but not many folks are downstream of small MTU serial links anymore,
so if you set your external link to frag at 1492 or less (down to the
minumum of 576 if you'd like ~100% success,) and allow your router to send
ICMP to your server, then you're likely to not to have PMTU issues if you
simply don't allow external spoofing of your internal interface.

Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.

But since you control PMTU on your network, you can simply shrink it
enough and allow the ICMP traffic between trusted nodes only. Solves the

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact." Infosec discussion boards

firewall-wizards mailing list

Relevant Pages

  • Re: Problem of blocking ICMP packet while calculating Path MTU
    ... > I am in process of implementing Path MTU detection technique. ... > process the received ICMP ECHO reply packets. ... > there is no need to write server code at all. ...
  • Re: Non accessible web site
    ... Then as my MTU is fixed to 1490 I am not surprised as the vast majority ... of Wan technologies have the same or larger MTU. ... your computer and the server, you will no longer be able to communicate. ... ICMP either, like Windows systems do) ...
  • Important Topics.
    ... ASP.NET server controls contained within the page. ... A custom server control is ... can also perform validation using client script. ... Where does the Web page belong in the .NET Framework class hierarchy? ...
  • Software engineer
    ... I have a BS in Electrical Engineering and computer science and worked on my ... I have also been involved in hardware design. ... Developed an ATL DCOM based Server and MFC client GUI using Visual C++6.0. ... User can control the data acquisition parameters by modifying the script file. ...