Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How automate firewall tests

From: Oliver Humpage <oliver () watershed co uk>
Date: Mon, 21 Aug 2006 17:22:26 +0100
on 21/8/06 2:46 pm, Patrick M. Hausen at hausen () punkt de wrote:


Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.


Not necessarily - IP packets can be fragmented to go over smaller MTU
networks. The problem comes when some OSes unnecessarily set the "Do Not
Fragment" bit on all packets, and at that point if the "must fragment" icmp
message doesn't get back to the server then no data flows.

I can understand why *some* types of ICMP could be considered undesirable,
but there are other types which should definitely be let through under
certain circumstances.

Oliver.

PS Missed the start of this discussion, apologies if I missed the point
there.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: