[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ICMP Drop - Part II

On Thu, 09 Oct 2003, Menno Scholten wrote:
> After reading the concerns about dropping ICMP packets I was wondering
> if this also applies to a firewall with all inbound traffic blocked. 

Yes. If you block the 'destination unreachable, fragmentation needed'
packets, you will no longer be able to get large packets from a fair
proportion of the Internet -- enough to annoy, but not enough to cripple
the connection. 

> I block everything from the outside and SNAT internet traffic from my
> local workstations to my external IP. If those 'fragmentation needed'
> packets are sent to my IP, they would only come in reply to a
> connection I've made and thus be associated with an existing
> connection right? So they would be accepted as part of the NAT'ed
> connection.

If you have a rule that says accept 'RELATED' packets, the ICMP will be
accepted, as long as the association can be determined.

> Is the above true? I understand about applications that work on an IP
> to IP basis like MSN, but am I right for everything that works without
> special firewall rules?

Yes, with the iptables 'connection tracking' stuff and the 'RELATED'

> Hope this is not too stupid of a question..

Nope. Well asked. :)

The only place men want depth in a woman is in her décolletage.
        -- Zsa Zsa Gabor

Reply to: