On Tue, 2003-07-29 at 02:31, Nick Nauwelaerts wrote: > [...] Discarding, not blocking, incoming traffic > has as added feature that it breaks MTU path discovery. If your firewall is > part of an upstream route you break other people's troubleshooting. If this > was done by everyone you can forget about basic troubleshooting tools such > as traceroute of ping. Path MTU discovery only gets broken if you block (or not respond) to certain ICMP packets. You should be able to silently drop TCP, UDP, and most of ICMP (except for type 3 and 11 I believe). Doing traceroutes has already become a PITA with certain providers. Luckily those that block ICMP traceroutes still permit TCP traceroutes. Besides, most admins probably don't want you to be able to traceroute through their firewall :) I agree on the hiding part. Also, TCP Resets are especially useful for anything that throws idents your way (i.e. mail servers, secondary name servers). Cheers, Frank
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 07:59:23 PDT