ronnie sahlberg wrote:
> Blocking ICMP will usually break TCP completely.
> Things like path mtu discovery will no longer work,
> routing loops can no longer be detected, etc etc.
> This leads to tcp connections hanging indefinitely and other bad things.
>
>
> Please tell the person blocking icmp in the firewall he is
> "misinformed" (better than saying he is stupid) and should stop
> blocking icmp if he wants the network to work.
>
> Dont block icmp. icmp is a vital part of the ip stack and blocking it
> will break things.
ICMP MTU exceeded is about the only essential one. Either that or the
network people need to explicity inform you of all the MTU limiting
devices in the path. Let me give you a real world example.
server 1 -> firewall -> router 1 -> router 2 -> server 2
both servers use the default 1500 byte ethernet MTU.
All goes fine until server 1 tries to send a 1493-1500 byte packet.
Router 1 tries to reply with MTU exceeded because the link to router 2
is ADSL and it needs 8 bytes for SNAP/LLC headers. Firewall drops the
ICMP. Server 2 sends dup acks so server 1 retransmits until eventually
one end or the other sends an RST. It's no problem with traffic on the
return path because server 2 gets fraq required from router 2.
Solved on Windows by forcing the MTU to 1492. This is a global setting
for all interfaces.
Solved on AIX by setting the route MTU to 1492.
Doing it the right way and having security allow the MTU exceeded? Not a
hope in hades. Paranoia rules.
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who