On Sun, 2003-09-21 at 21:55, Bill Nottingham wrote:
A default taroon AS installation creates a set of firewall rules that block
"unreachable - need to frag" icmp packets. This severely breaks the linux
TCP/IP's stack patch MTU discovery and also makes it impossible to use RHEL
behind a NAT firewall over DSL or cipe.
Among some other types mentioned as well...
I think the author of the above doesn't understand how the statefulness
of IP tables works.
The use of "RELATED" matches the "unreachable - need to frag" ICMP
regarding conversations that the machine is involved in.
With the rules I originally supplied, if an ICMP error message (need to
frag, port unreachable, source quench, redirect, etc) arrives
out-of-the-blue, it will be blocked. This is good.
If an ICMP error messages arrives at the machine and that ICMP error
message is about (ie, RELATED) to an existing conversation the machine
is involved in, then the message will be allowed. This is good.
ICMP messages come in two flavors, QUERY and ERROR.
From a security standpoint, one should block all QUERY messages as
violate the principle of least disclosure. From a practical standpoint,
ICMP echo-request messages should be allowed to be a good LAN citizen
and play nice with the DHCP servers who want to double check IP address
Generally, one should not block ICMP error messages as they allow your
IP stack to respond quickly in the face of failures, and can be critical
to the operation of IP (eg, need to frag). However, with Linux we can do
better. You can allow ICMP error messages regarding real conversations
that your computer is is involved in and drop all others. This is ideal.
The previous rules (pre bugzilla #104561) implemented such a setup. IMO,
the current change is a regression.