Re: Path MTU (was: RE:)
Timothy Earl said:
> Hello all,
>
> I am having a little trouble understanding the differences between Firewall
> / Proxy activity on internal / external nets. For example I read recently
> out of a book I am going through, that one should reconsider blocking all
> ICMP traffic for reasons related to fragmentation. I was wondering, with my
> current setup how does this affect packets coming from my external
> (internet) interface and packets on my internal network, because based on
> what is written my firewall/router will just drop packets with a too high
> MTU without warning the host that sent it, but by using nating I should
> think this should not affect any of my internal hosts communicating with
> external hosts. On the other hand I guess they mean that this will affect
> communication on my internal net.. Could someone clear me up on this or
> direct me to some documents that explain this kind of networking activity a
> little more in detail?
Path MTU is very important. I've been bitten a few times. Basically, if
a router somewhere along the path between you and point b has a smaller
MTU set than you are sending, and you have the DF bit set, (which is
what hosts that understand pmtu use) the remote host will send an icmp
type 3 "Destination Unreachable" to you telling you what size will fit.
If you straight out drop all icmp messages, you'll have inconsistent
communications.
Also, if the remote host doesn't notify you with an icmp message because
a firewall on their end is dropping icmp on the floor you can have some
good fun troubleshooting.
http://www.netheaven.com/pmtu.html
http://www.faqs.org/rfcs/rfc1191.html
http://www.sendmail.org/tips/pathmtu.html
> My second question is which ICMP types should be allowed in to the external
> interface if any?
>
I allow types 0, 3, 4, 8, 11, 12 on my corp net. echo/echo reply are
worth their weight in troubleshooting. On my home net, I don't allow
echo in, just to seem a little less visible on the net.
/phil
Reply to: