From owner-freebsd-hackers Thu Jun 8 9: 0:41 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id ACB7637B649 for ; Thu, 8 Jun 2000 09:00:37 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (yogotech.nokia.com [4.22.66.156]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA15419; Thu, 8 Jun 2000 10:00:27 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id JAA24953; Thu, 8 Jun 2000 09:00:17 -0700 (PDT) (envelope-from nate) Date: Thu, 8 Jun 2000 09:00:17 -0700 (PDT) Message-Id: <200006081600.JAA24953@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Dave Preece Cc: "Kenneth D. Merry" , freebsd-hackers@FreeBSD.ORG Subject: RE: Path MTU discovery. In-Reply-To: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz> References: <67B808B0DD93D211ABEE0000B498356B02BC71@internet.kbgroup.co.nz> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > Just learning about this: I can see the advantages but does > > anything use it? > > > > Sure, TCP uses it. > > > So... thinking about what this means for firewalls and natd. If we block all > incoming ICMP's across the firewall The moral of the story is don't block *ALL* incoming ICMP's across the firewall. :) Something like: /sbin/ipfw add 1000 pass icmp from any to any via ${netif} icmptypes 0,3,11 Works for me, although you may not want type 11 packets coming in. (I allow them in, so I can run traceroute); Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message