Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How automate firewall tests

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 21 Aug 2006 15:46:32 +0200
Hi, Paul!

On Mon, Aug 21, 2006 at 09:17:08AM -0400, Paul D. Robertson wrote:

On Mon, 21 Aug 2006, Patrick M. Hausen wrote:


On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:


The doco above says no good firewall should allowe ICMP, ...


Then this document is plainly wrong, IMHO. Which one were you
referring to?

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.


Surely you're in full control of the MTU between your firewall and 
external router?  Letting the border router deal with PMTU isn't 
necessarily a bad thing.


I'm not in control of the MTU along the entire path from
server to client. PMTUD is an endpoint mechanism.

Or did I get you completely wrong? I'm thinking of e.g.
firewall protected public web servers. If you block ICMP,
clients that try to access them with a smaller MTU than
whatever the server's local interface has got will fail.

Regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: