Re: how to block ICMP tunneling? Deja vu?

["Don Kendrick" <don () netspys com>]

Didn't we just have this discussion last year :)

I've been blocking unreachables, ttl-exceeded and echo-reply inbound at the
border router and blocking everything else from passing thru the firewall
for many years . All is allowed out from the external side of the house
only...path MTU has never caused any problems that I'm aware of in our net.

Aren't other routers between my net and the "rest of the world" responding
to path MTU? Wouldn't it only be a factor if my path was smaller then any
other between point A and B?

btw...some one else suggested that it mattered if you have a token based
network inside...I've got that as well.


Don


> If you do, you break Path MTU, which can disrupt communications to many
> sites.