Re: Path MTU (was: RE:)

To: debian-firewall@lists.debian.org
Cc: Timothy Earl <earl.timothy@wanadoo.fr>
Subject: Re: Path MTU (was: RE:)
From: Mike Mestnik <cheako911@yahoo.com>
Date: Tue, 18 Jan 2005 17:27:39 -0800 (PST)
Message-id: <20050119012739.48122.qmail@web30508.mail.mud.yahoo.com>
In-reply-to: <41ED82A2.4020505@cox.net>

--- Phil Dyer <phil.dyer@cox.net> wrote:

> Timothy Earl said:
> > Hello all,
> > 
> > I am having a little trouble understanding the differences between
> Firewall
> > / Proxy activity on internal / external nets. For example I read
> recently
> > out of a book I am going through, that one should reconsider blocking
> all
> > ICMP traffic for reasons related to fragmentation. I was wondering,
> with my
> > current setup how does this affect packets coming from my external
> > (internet) interface and packets on my internal network, because based
> on
> > what is written my firewall/router will just drop packets with a too
> high
> > MTU without warning the host that sent it, but by using nating I
> should
> > think this should not affect any of my internal hosts communicating
> with
> > external hosts. On the other hand I guess they mean that this will
> affect
> > communication on my internal net.. Could someone clear me up on this
> or
> > direct me to some documents that explain this kind of networking
> activity a
> > little more in detail?
> 
> Path MTU is very important. I've been bitten a few times. Basically, if
> a router somewhere along the path between you and point b has a smaller
> MTU set than you are sending, and you have the DF bit set, (which is
> what hosts that understand pmtu use) the remote host will send an icmp
> type 3 "Destination Unreachable" to you telling you what size will fit.
> If you straight out drop all icmp messages, you'll have inconsistent
> communications.
> 
> Also, if the remote host doesn't notify you with an icmp message because
> a firewall on their end is dropping icmp on the floor you can have some
> good fun troubleshooting.
> 
> http://www.netheaven.com/pmtu.html
> http://www.faqs.org/rfcs/rfc1191.html
> http://www.sendmail.org/tips/pathmtu.html
> 
> > My second question is which ICMP types should be allowed in to  the
> external
> > interface if any? 
> > 
> 
> I allow types 0, 3, 4, 8, 11, 12 on my corp net. echo/echo reply are
> worth their weight in troubleshooting. On my home net, I don't allow
> echo in, just to seem a little less visible on the net.
> 
> /phil
> 
This is a good first run, short and sweet.  However you should also be
aware of and block the trouble some ICMP msgs.

1. Pings to bracast addresses(like 209.98.255.255), these can easily
generate hundreds of replys(pongs) AND be targeted at any host on the net.
1a. Pings not originating fron it's own revers route, coming from somwhere
other then where the pong would be routed.
2. Pongs above a given rate, count/minut/net is a good way togo if you
have hundreds or thousends of hosts.
3. Unreachables, your connection tracing fierwall should be able to mach
TCP windows and UDP data to varify authenticity.  (icmp --state RELATED
ACCEPT; ICMP unreach DROP)

There are many more but these are at the top of my list.  If we can get a
good list going I'd like to add this to the WiKi.  Also I'd be nice to
know  
which of the above are caught by --state INVALID.

> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com

Reply to:

Follow-Ups:
- Re: Path MTU (was: RE:)
  - From: Phil Dyer <phil.dyer@cox.net>

References:
- Re: Path MTU (was: RE:)
  - From: Phil Dyer <phil.dyer@cox.net>

Prev by Date: unsubscribe
Next by Date: Re: Path MTU (was: RE:)
Previous by thread: Re: Path MTU (was: RE:)
Next by thread: Re: Path MTU (was: RE:)
Index(es):
- Date
- Thread