Frederick Page wrote:
>disclaimer: this is not a rant or criticism of m0n0wall, I'm just
>trying to give some ideas to think about, maybe incorporate something
>in upcoming releases.
>By default m0n0wall blocks incoming traffic from the WAN interface, to
>my understanding this includes ICMP. Okay, I can explicitly enable it,
>but have to enable all ICMP, including Type 5 which can be considered
>a security-risk. (Or did I overlook the part where you can specify
>ICMP types in the firewall?)
>Unfortunately there is such a thing as PMTU, almost every TCP-packet
>has the DF flag set and a non-braindead firewall admin wants either to
>receive ICMP-Type 3 or the DF-flag stripped from his outgoing packets.
>Explanation: packets are sent with Don't Fragement Flag set. Someone
>with a lesser MTU (maximum transfer unit) cannot process the packets,
>he needs to fragment them, but isn't allowed to (DF flag set). So he
>sends a cry for help (ICMP Type 3) to the sender. If the sender is
>braindead, he has just blocked ICMP and does not "hear" the other guy.
>This other guy waits and waits and gets a timeout. Why are TCP-packets
>sent with DF? In order to make MTU Path-Discovery possible, so that
>sender/recipient can negotiate the maximum possible MTU, which speeds
>So if one does block ICMP, one should at least strip the DF flag, so
>that every recipient is allowed to fragment packets (if necessary).
>Kind regards Frederick
Seems like a well thought out criticism, and I agree. There certainly
is a potential problem waiting to happen here, and unless people have
the knowledge you just sent to the list, they'd be stumped why they
can't communicate to someone else. DSL users are probably most at risk
due to their slightly lower MTU setting. I bet even a few that might
have read this just had a lightbulb go off in their heads. :-)