[ previous ] [ next ] [ threads ]
 
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ICMP and Packet Considerations
 Date:  Fri, 30 Jul 2004 18:32:51 +0200
Hallo Christopher,

Christopher M. Iarocci schrieb am 30. July 2004:

>>So if one does block ICMP, one should at least strip the DF flag, so
>>that every recipient is allowed to fragment packets (if necessary).

>DSL users are probably most at risk due to their slightly lower MTU
>setting.

Indeed: I speak out of own (bad) experiences. DSL (at least here in
Germany) is via PPP (PPPoE) and has 8 bytes overhead. If your internal
machine is behind a e.g. Soekris net4x01 router, your internal network
even looses another 40 byte MTU size, which is needed for
masquerading/NAT.

Since my previous gateway/router was a "complete" Linux-PC, I often
experienced the following thing: opened an URL on the XP-client,
seemed to load fine, but then everything just "hung". When I opened
the same URL on the Linux-machine, it was fine.

PMTU is a nice idea on how to negotiate optimum MTU sizes and speeds
up internet considerably. Unfortunately many "admins" don't understand
ICMP and see it as security risk. (Indeed Type 5 = Redirect is a
security risk, since the redirecting machine will be an involuntary
smurf). Therefore the concept of PMTU does not work anymore as
planned, people install "stealth" firewalls that block anything and
try to be invisible. Yes, the world is bad, no use whining about it.

I tried dealing with my bank about home-banking over Internet.
They also block ICMP and I had to do MSS-clamping :-(

>I bet even a few that might have read this just had a lightbulb go
>off in their heads.  :-)

That's why I explained it briefly ;-)

I'm just hoping, that the developers read this mail, again: this is
not a rant or so, just something to think about. Stripping the DF flag
from outgoing packets is (IMHO) a "good idea" [tm].

Kind regards

Frederick