[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Frederick Page <fpage at thebetteros dot oche dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ICMP and Packet Considerations
 Date:  Fri, 30 Jul 2004 07:46:53 -0400
Frederick Page wrote:

>Hello everybody,
>disclaimer: this is not a rant or criticism of m0n0wall, I'm just
>trying to give some ideas to think about, maybe incorporate something
>in upcoming releases.
>By default m0n0wall blocks incoming traffic from the WAN interface, to
>my understanding this includes ICMP. Okay, I can explicitly enable it,
>but have to enable all ICMP, including Type 5 which can be considered
>a security-risk. (Or did I overlook the part where you can specify
>ICMP types in the firewall?)
>Unfortunately there is such a thing as PMTU, almost every TCP-packet
>has the DF flag set and a non-braindead firewall admin wants either to
>receive ICMP-Type 3 or the DF-flag stripped from his outgoing packets.
>Explanation: packets are sent with Don't Fragement Flag set. Someone
>with a lesser MTU (maximum transfer unit) cannot process the packets,
>he needs to fragment them, but isn't allowed to (DF flag set). So he
>sends a cry for help (ICMP Type 3) to the sender. If the sender is
>braindead, he has just blocked ICMP and does not "hear" the other guy.
>This other guy waits and waits and gets a timeout. Why are TCP-packets
>sent with DF? In order to make MTU Path-Discovery possible, so that
>sender/recipient can negotiate the maximum possible MTU, which speeds
>up things.
>So if one does block ICMP, one should at least strip the DF flag, so
>that every recipient is allowed to fragment packets (if necessary).
>Any thoughts?
>Kind regards  Frederick
Seems like a well thought out criticism, and I agree.  There certainly 
is a potential problem waiting to happen here, and unless people have 
the knowledge you just sent to the list, they'd be stumped why they 
can't communicate to someone else.  DSL users are probably most at risk 
due to their slightly lower MTU setting.  I bet even a few that might 
have read this just had a lightbulb go off in their heads.  :-)