Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How automate firewall tests

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 21 Aug 2006 18:49:52 +0200
Hi!


Sure, but not many folks are downstream of small MTU serial links anymore, 
so if you set your external link to frag at 1492 or less (down to the 
minumum of 576 if you'd like ~100% success,)


Got it. But 576 doesn't guarantee 100% success, even if you have
a fair chance ;-)

IIRC any IP implementation must be able to receive at least 576
bytes sized frames. But there is no mandation of a minimum path MTU
of that size. 256 bytes or something in that order was common on
dialup modem links.


But since you control PMTU on your network, you can simply shrink it 
enough and allow the ICMP traffic between trusted nodes only.  Solves the 
problem.


I was thinking of the not so knowledgable server/firewall admin
blocking ICMP without those measures. And, what's so bad about
ICMP "df needed" messages? Of course I'm not proposing to allow _all_
types of ICMP through.

Regards,
Patrick
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: