Re: ICMP Drop - Part II
On Thu, 09 Oct 2003, Menno Scholten wrote:
> After reading the concerns about dropping ICMP packets I was wondering
> if this also applies to a firewall with all inbound traffic blocked.
Yes. If you block the 'destination unreachable, fragmentation needed'
packets, you will no longer be able to get large packets from a fair
proportion of the Internet -- enough to annoy, but not enough to cripple
> I block everything from the outside and SNAT internet traffic from my
> local workstations to my external IP. If those 'fragmentation needed'
> packets are sent to my IP, they would only come in reply to a
> connection I've made and thus be associated with an existing
> connection right? So they would be accepted as part of the NAT'ed
If you have a rule that says accept 'RELATED' packets, the ICMP will be
accepted, as long as the association can be determined.
> Is the above true? I understand about applications that work on an IP
> to IP basis like MSN, but am I right for everything that works without
> special firewall rules?
Yes, with the iptables 'connection tracking' stuff and the 'RELATED'
> Hope this is not too stupid of a question..
Nope. Well asked. :)
The only place men want depth in a woman is in her décolletage.
-- Zsa Zsa Gabor