[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  ICMP and Packet Considerations
 Date:  Fri, 30 Jul 2004 05:06:52 +0200
Hello everybody,

disclaimer: this is not a rant or criticism of m0n0wall, I'm just
trying to give some ideas to think about, maybe incorporate something
in upcoming releases.

By default m0n0wall blocks incoming traffic from the WAN interface, to
my understanding this includes ICMP. Okay, I can explicitly enable it,
but have to enable all ICMP, including Type 5 which can be considered
a security-risk. (Or did I overlook the part where you can specify
ICMP types in the firewall?)

Unfortunately there is such a thing as PMTU, almost every TCP-packet
has the DF flag set and a non-braindead firewall admin wants either to
receive ICMP-Type 3 or the DF-flag stripped from his outgoing packets.

Explanation: packets are sent with Don't Fragement Flag set. Someone
with a lesser MTU (maximum transfer unit) cannot process the packets,
he needs to fragment them, but isn't allowed to (DF flag set). So he
sends a cry for help (ICMP Type 3) to the sender. If the sender is
braindead, he has just blocked ICMP and does not "hear" the other guy.

This other guy waits and waits and gets a timeout. Why are TCP-packets
sent with DF? In order to make MTU Path-Discovery possible, so that
sender/recipient can negotiate the maximum possible MTU, which speeds
up things.

So if one does block ICMP, one should at least strip the DF flag, so
that every recipient is allowed to fragment packets (if necessary).

Any thoughts?

Kind regards  Frederick