Re: [fw-wiz] How automate firewall tests
- From: Oliver Humpage <oliver@xxxxxxxxxxxxxxx>
- Date: Mon, 21 Aug 2006 17:22:26 +0100
on 21/8/06 2:46 pm, Patrick M. Hausen at hausen@xxxxxxxx wrote:
Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.
Not necessarily - IP packets can be fragmented to go over smaller MTU
networks. The problem comes when some OSes unnecessarily set the "Do Not
Fragment" bit on all packets, and at that point if the "must fragment" icmp
message doesn't get back to the server then no data flows.
I can understand why *some* types of ICMP could be considered undesirable,
but there are other types which should definitely be let through under
certain circumstances.
Oliver.
PS Missed the start of this discussion, apologies if I missed the point
there.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] How automate firewall tests
- From: Patrick M. Hausen
- Re: [fw-wiz] How automate firewall tests
- Prev by Date: Re: [fw-wiz] How automate firewall tests
- Next by Date: Re: [fw-wiz] How automate firewall tests
- Previous by thread: Re: [fw-wiz] How automate firewall tests
- Next by thread: Re: [fw-wiz] How automate firewall tests
- Index(es):
Relevant Pages
|
|
