[Mimedefang] Strange activity
Fernando Gleiser
fgleiser at cactus.fi.uba.ar
Mon Jan 9 08:14:37 EST 2006
On Sat, 7 Jan 2006, Yizhar Hurwitz wrote:
>
> Well, as you know, many systems nowdays use xDSL lines, that some of them
> have lower MTU because of tunneling protocols (such as PPPoE).
> And also, many firewalls drop ICMP packets required for PMTU, so you cannot
> trust PMTU to find the best packet size.
> Some firewalls might also drop fragment packets.
If the firewall drops error ICMPs or fragmented packets then it's broken.
Blocking some kind of ICMP packets is one thing but blindly blocking
all ICMP is a Bad Idea (tm). Any decent stateful firewall can recognize
if an ICMP is a response to a packet you generated. IP filter (comes
in most BSDs) has been doing it since at least '99.
ICMP is an integral part of the TCP/IP suite. It is needed for TCP/IP
to work properly. You CAN'T (well, you can, but you shouldn't) block
all of it.
The same goes for fragments, droping bare fragments is OK. droping fragments
which you know are part of legitimate traffic isn't.
Fer
More information about the MIMEDefang
mailing list