Re: [fw-wiz] How automate firewall tests

On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

minumum of 576 if you'd like ~100% success,)

Got it. But 576 doesn't guarantee 100% success, even if you have
a fair chance ;-)

That's why the ~ was there-- sure, some submarines and possibly some .mil
satcom links can't get to your site- *shrug* - if you're in that game,
you already should know the limitations.

IIRC any IP implementation must be able to receive at least 576
bytes sized frames. But there is no mandation of a minimum path MTU
of that size. 256 bytes or something in that order was common on
dialup modem links.

Then set it to 256- the point is that you can get very reasonable values
of functionality without transiting ICMP. The times I've done this (back
when there was a *lot* more dial-up than there is today,) I've had very,
very few issues.

But since you control PMTU on your network, you can simply shrink it
enough and allow the ICMP traffic between trusted nodes only. Solves the
problem.

I was thinking of the not so knowledgable server/firewall admin
blocking ICMP without those measures. And, what's so bad about
ICMP "df needed" messages? Of course I'm not proposing to allow _all_
types of ICMP through.

Everything you let in opens the gates a little more, who can say how much
creep is bad for one site or another? My point was simply that you can
limit things to what's under your control and still be effective.

Perfect is still the enemy of good enough.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: traceroute problem
    ... |there's no guarantee they will be open all along the way. ... |rather more likely that the necessary ICMP packets will be permitted, ... |it's always useful to have an ICMP capable traceroute around. ... |for instance you're trying to trace to a web server you should be able to ...
    (alt.os.linux.suse)
  • Re: [fw-wiz] How automate firewall tests
    ... so if you set your external link to frag at 1492 or less (down to the ... minumum of 576 if you'd like ~100% success,) ... But 576 doesn't guarantee 100% success, ... enough and allow the ICMP traffic between trusted nodes only. ...
    (Firewall-Wizards)