You are breaking Path MTU Discovery by not allowing the "Fragmentation needed but 'Do not Fragment' bit set" ICMP message through. Solaris and NT both use PMTUD, as fragmentation is bad and should be avoided where possible. Another one to add to your list of necessary ICMPs, Carric. Regards, Richard Smyth > -----Original Message----- > From: EXT peter.schawackerat_private > [mailto:peter.schawackerat_private] > Sent: Saturday, January 15, 2000 2:53 AM > To: firewall-wizardsat_private > Subject: RE: Blocking ICMP with ipchains > > > How could blocking all ICMP cause a problem? I have worked > with two rather > large networks that blocked all ICMP at the router level. > Were we just lucky > not to have any problems? > > -----Original Message----- > From: wwebb [mailto:wwebbat_private] > Sent: Tuesday, January 11, 2000 7:19 PM > To: firewall-wizards > Cc: wwebb > Subject: Blocking ICMP with ipchains > > > I've heard that it is not wise to block all ICMP operations. Such > being the case, which of these ICMP operations are safe to block > without causing serious problems: > > echo-reply (pong) > destination-unreachable > network-unreachable > host-unreachable > protocol-unreachable > port-unreachable > fragmentation-needed > source-route-failed > network-unknown > host-unknown > network-prohibited > host-prohibited > TOS-network-unreachable > TOS-host-unreachable > communication-prohibited > host-precedence-violation > precedence-cutoff > source-quench > redirect > network-redirect > host-redirect > TOS-network-redirect > TOS-host-redirect > echo-request (ping) > router-advertisement > router-solicitation > time-exceeded (ttl-exceeded) > ttl-zero-during-transit > ttl-zero-during-reassembly > parameter-problem > ip-header-bad > required-option-missing > timestamp-request > timestamp-reply > address-mask-request > address-mask-reply > > Thanks for any assistance. > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:09 PDT