Gentoo Archives: gentoo-security

From: Mark Hurst <mark@××××××.net>
To: Oliver Schad <o.schad@×××.de>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 08:08:43
In Reply to: Re: [gentoo-security] firewall suggestions? by Oliver Schad
> Sometimes your packets are too big for some parts of the net without > fragmenting so you get a message that you should reduce your packet > size. If you block such messages, you can't connect with the target. > These messages are delivered by ICMP so blocking of ICMP is very stupid.
No, blocking of "fragmentation required but DF set" ICMP is stupid. Allowing all ICMP in just to enable PMTU discovery is not required. regards -- gentoo-security@g.o mailing list