ICMP Packets.

Don Kendrick dkendrick@mindspring.com
Tue, 2 Jun 1998 15:52:18 -0400

Agreed on the Path MTU stuff in theory thought it really depends what kind
of traffic is going between the internal and external nets. For one, I'd
rather deny ICMP and suffer some on performance.


-----Original Message-----
From: Perry E. Metzger <perry@piermont.com>
To: Don Kendrick <dkendrick@mindspring.com>
Cc: Toddb <toddb@pacifier.com>; firewall-wizards@nfr.net
Date: Tuesday, June 02, 1998 12:14 PM
Subject: Re: ICMP Packets.

>"Don Kendrick" writes:
>> In the standard configuration of you, with a perimeter router, connected
>> point to point with an ISP's router; there's no reason I can think of
>> other than troubleshooting to allow ICMP packets to enter your
>> perimeter.
>I think stopping ICMP is, in general, a very bad idea. Among other
>things, you totally screw up Path MTU discovery, and you make it hard
>to trace network problems. The Path MTU breakage is especially bad --
>it will, among other things, impact your network performance.