RE: Blocking ICMP with ipchains

[Richard.Smyth () nokia com]

You are breaking Path MTU Discovery by not allowing the "Fragmentation
needed but 'Do not Fragment' bit set" ICMP message through.  Solaris and NT
both use PMTUD, as fragmentation is bad and should be avoided where
possible.

Another one to add to your list of necessary ICMPs, Carric.

Regards,
Richard Smyth


> -----Original Message-----
> From: EXT peter.schawacker () citicorp com
> [mailto:peter.schawacker () citicorp com]
> Sent: Saturday, January 15, 2000 2:53 AM
> To: firewall-wizards () nfr net
> Subject: RE: Blocking ICMP with ipchains
>
>
> How could blocking all ICMP cause a problem?  I have worked 
> with two rather 
> large networks that blocked all ICMP at the router level.  
> Were we just lucky 
> not to have any problems?
>
> -----Original Message-----
> From: wwebb [mailto:wwebb () adni net]
> Sent: Tuesday, January 11, 2000 7:19 PM
> To: firewall-wizards
> Cc: wwebb
> Subject: Blocking ICMP with ipchains
>
>
> I've heard that it is not wise to block all ICMP operations.  Such 
> being the case, which of these ICMP operations are safe to block 
> without causing serious problems: 
>
> echo-reply (pong)
> destination-unreachable
>    network-unreachable
>    host-unreachable
>    protocol-unreachable
>    port-unreachable
>    fragmentation-needed
>    source-route-failed
>    network-unknown
>    host-unknown
>    network-prohibited
>    host-prohibited
>    TOS-network-unreachable
>    TOS-host-unreachable
>    communication-prohibited
>    host-precedence-violation
>    precedence-cutoff
> source-quench
> redirect
>    network-redirect
>    host-redirect
>    TOS-network-redirect
>    TOS-host-redirect
> echo-request (ping)
> router-advertisement
> router-solicitation
> time-exceeded (ttl-exceeded)
>    ttl-zero-during-transit
>    ttl-zero-during-reassembly
> parameter-problem
>    ip-header-bad
>    required-option-missing
> timestamp-request
> timestamp-reply
> address-mask-request
> address-mask-reply
>
> Thanks for any assistance.